b"<html>\n<title> - EVALUATING PRIVACY, SECURITY, AND FRAUD CONCERNS WITH OBAMACARE'S INFORMATION SHARING APPARATUS</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n   EVALUATING PRIVACY, SECURITY, AND FRAUD CONCERNS WITH OBAMACARE'S \n                     INFORMATION SHARING APPARATUS \n\n=======================================================================\n\n                             JOINT HEARING\n\n                               before the\n\n                     SUBCOMMITTEE ON ENERGY POLICY,\n                      HEALTH CARE AND ENTITLEMENTS\n\n                                 of the\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n\n                                and the\n\n                     SUBCOMMITTEE ON CYBERSECURITY,\n                       INFRASTRUCTURE PROTECTION,\n                       AND SECURITY TECHNOLOGIES\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JULY 17, 2013\n\n                               __________\n\n                           Serial No. 113-66\n\n             (Committee on Oversight and Government Reform)\n\n                           Serial No. 113-25\n\n                    (Committee on Homeland Security)\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n         Available via the World Wide Web: http://www.fdsys.gov\n                      http://www.house.gov/reform\n\n                               ----------\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n86-193 PDF                       WASHINGTON : 2014 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Printing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800 \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n\n\n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                 DARRELL E. ISSA, California, Chairman\nJOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, \nMICHAEL R. TURNER, Ohio                  Ranking Minority Member\nJOHN J. DUNCAN, JR., Tennessee       CAROLYN B. MALONEY, New York\nPATRICK T. McHENRY, North Carolina   ELEANOR HOLMES NORTON, District of \nJIM JORDAN, Ohio                         Columbia\nJASON CHAFFETZ, Utah                 JOHN F. TIERNEY, Massachusetts\nTIM WALBERG, Michigan                WM. LACY CLAY, Missouri\nJAMES LANKFORD, Oklahoma             STEPHEN F. LYNCH, Massachusetts\nJUSTIN AMASH, Michigan               JIM COOPER, Tennessee\nPAUL A. GOSAR, Arizona               GERALD E. CONNOLLY, Virginia\nPATRICK MEEHAN, Pennsylvania         JACKIE SPEIER, California\nSCOTT DesJARLAIS, Tennessee          MATTHEW A. CARTWRIGHT, \nTREY GOWDY, South Carolina               Pennsylvania\nBLAKE FARENTHOLD, Texas              MARK POCAN, Wisconsin\nDOC HASTINGS, Washington             TAMMY DUCKWORTH, Illinois\nCYNTHIA M. LUMMIS, Wyoming           ROBIN L. KELLY, Illinois\nROB WOODALL, Georgia                 DANNY K. DAVIS, Illinois\nTHOMAS MASSIE, Kentucky              PETER WELCH, Vermont\nDOUG COLLINS, Georgia                TONY CARDENAS, California\nMARK MEADOWS, North Carolina         STEVEN A. HORSFORD, Nevada\nKERRY L. BENTIVOLIO, Michigan        MICHELLE LUJAN GRISHAM, New Mexico\nRON DeSANTIS, Florida\n\n                   Lawrence J. Brady, Staff Director\n                John D. Cuaderes, Deputy Staff Director\n                    Stephen Castor, General Counsel\n                       Linda A. Good, Chief Clerk\n                 David Rapallo, Minority Staff Director\n\n      Subcommittee on Energy Policy, Health Care and Entitlements\n\n                   JAMES LANKFORD, Oklahoma, Chairman\nPATRICK T. McHENRY, North Carolina   JACKIE SPEIER, California, Ranking \nPAUL GOSAR, Arizona                      Minority Member\nJIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of \nJASON CHAFFETZ, Utah                     Columbia\nTIM WALBERG, Michigan                JIM COOPER, Tennessee\nPATRICK MEEHAN, Pennsylvania         MATTHEW CARTWRIGHT, Pennsylvania\nSCOTT DesJARLAIS, Tennessee          TAMMY DUCKWORTH, Illinois\nBLAKE FARENTHOLD, Texas              DANNY K. DAVIS, Illinois\nDOC HASTINGS, Washington             TONY CARDENAS, California\nROB WOODALL, Georgia                 STEVEN A. HORSFORD, Nevada\nTHOMAS MASSIE, Kentucky              MICHELLE LUJAN GRISHAM, New Mexico\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nPaul C. Broun, Georgia               Yvette D. Clarke, New York\nCandice S. Miller, Michigan, Vice    Brian Higgins, New York\n    Chair                            Cedric L. Richmond, Louisiana\nPatrick Meehan, Pennsylvania         William R. Keating, Massachusetts\nJeff Duncan, South Carolina          Ron Barber, Arizona\nTom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey\nJason Chaffetz, Utah                 Beto O'Rourke, Texas\nSteven M. Palazzo, Mississippi       Tulsi Gabbard, Hawaii\nLou Barletta, Pennsylvania           Filemon Vela, Texas\nChris Stewart, Utah                  Steven A. Horsford, Nevada\nRichard Hudson, North Carolina       Eric Swalwell, California\nSteve Daines, Montana\nSusan W. Brooks, Indiana\nScott Perry, Pennsylvania\nMark Sanford, South Carolina\n                       Greg Hill, Chief of Staff\n          Michael Geffroy, Deputy Chief of Staff/Chief Counsel\n                    Michael S. Twinchek, Chief Clerk\n                 Lanier Avant, Minority Staff Director\n\nSUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY \n                              TECHNOLOGIES\n\n                 Patrick Meehan, Pennsylvania, Chairman\nMike Rogers, Alabama                 Yvette D. Clarke, New York\nTom Marino, Pennsylvania             William R. Keating, Massachusetts\nJason Chaffetz, Utah                 Filemon Vela, Texas\nSteve Daines, Montana                Steven A. Horsford, Nevada\nScott Perry, Pennsylvania            Bennie G. Thompson, Mississippi \nMichael T. McCaul, Texas (ex             (ex officio)\n    officio)\n               Alex Manning, Subcommittee Staff Director\n                    Dennis Terry, Subcommittee Clerk\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on July 17, 2013....................................     1\n\n                               WITNESSES\n\nMr. Alan R. Duncan, Assistant Inspector General for Security and \n  Information Technology Services, Treasury Inspector General for \n  Tax Administration\n    Oral Statement...............................................     9\n    Written Statement............................................    11\nThe Hon. Daniel Werfel, Principal Deputy Commissioner, Internal \n  Revenue Service\n    Oral Statement...............................................    22\n    Written Statement............................................    24\nThe Hon. Marilyn B. Tavenner, Administrator, Centers for Medicare \n  and Medicaid Services, U.S. Department of Health and Human \n  Services\n    Oral Statement...............................................    29\n    Written Statement............................................    31\nMr. John Dicken, Director, Health Care, U.S. Government \n  Accountability Office\n    Oral Statement...............................................    39\n    Written Statement............................................    41\n\n                                APPENDIX\n\nLetter from Mr. Daniel I. Werfel.................................   101\nOpening Statement from Ranking Member Yvette D. Clarke...........   102\nACA Implementation IRS Oversight Board Briefing submitted by Mr. \n  Jordan.........................................................   103\nStatement for the Record submitted by Ranking Member Bennie G. \n  Thompson.......................................................   113\n\n\n   EVALUATING PRIVACY, SECURITY, AND FRAUD CONCERNS WITH OBAMACARE'S \n                     INFORMATION SHARING APPARATUS\n\n                              ----------                              \n\n\n                        Wednesday, July 17, 2013\n\n                  House of Representatives,\n    Subcommittee on Energy Policy, Health Care and \nEntitlements, Committee on Oversight and Government \n                             Reform, joint with the\n Subcommittee on Cybersecurity, Infrastructure Protection, \n and Security Technologies, Committee on Homeland Security,\n                                                   Washington, D.C.\n    The subcommittees met, pursuant to call, at 10:00 a.m., in \nRoom 2154, Rayburn House Office Building, Hon. James Lankford \n[chairman of the Subcommittee on Energy Policy, Health Care and \nEntitlements, Committee on Oversight and Government Reform] \npresiding.\n    Present: Representatives Lankford, Meehan, Gosar, McHenry, \nJordan, Walberg, DesJarlais, Perry, Woodall, Black, Issa (ex \nofficio), Speier, Clarke, Cardenas, Lujan Grisham, Maloney, and \nCummings (ex officio).\n    Staff present from the Committee on Government Reform: Kurt \nBardella, Senior Policy Advisor; Brian Blase, Senior \nProfessional Staff Member; Molly Boyl, Senior counsel and \nParliamentarian; Lawrence J. Brady, Staff Director; Caitlin \nCarroll, Deputy Press Secretary; Katelyn E. Christ, \nProfessional Staff Member; John Cuaderes, Deputy Staff \nDirector; Adam P. Fromm, Director of member Services and \nCommittee Operations; Linda Good, Chief Clerk; Meinan Goto, \nProfessional Staff Member; Tyler Grimm, Senior Professional \nStaff Member; Christopher Hixon, Deputy Chief Counsel, \nOversight; Mark D. Marin, Director of Oversight; Emily Martin, \nCounsel; Scott Schmidt, Deputy Director of Digital Strategy; \nRebecca Watkins, Deputy Director of Communications; Jaron \nBourke, Minority Director of Administration; Yvette Cravins, \nMinority Counsel; Susanne Sachsman Grooms, Minority Deputy \nStaff Director/Chief Counsel; Adam Koshkin, Minority Research \nAssistant; Suzanne Owen, Minority Health Policy Advisor; Safiya \nSimmons, Minority Press Secretary; and Mark Stephenson, \nMinority Director of Legislation.\n    Staff present from the Committee on Homeland Security: Alex \nManning, Subcommittee Staff Director; Kevin Gundersen, Senior \nProfessional Staff Member; Erik Peterson, Staff Assistant; \nMargaret Anne Moore, Special Assistant to the Chief of Staff; \nMichael McAdams, Deputy Press Secretary; Natalie Nixon, Deputy \nChief Clerk; Christopher Schepis, Minority Senior Professional \nStaff Member; and Adam Comis, Minority Communications Director.\n    Mr. Lankford. Committee will come to order. I would like to \nbegin this hearing by stating the Oversight Committee mission \nstatement. We exist to secure two fundamental principles. \nFirst, Americans have the right to know the money Washington \ntakes from them is well spent. Second, Americans deserve an \nefficient, effective government that works for them. Our duty \non the Oversight and Government Reform Committee is to protect \nthese rights. Our solemn responsibility is to hold government \naccountable to taxpayers because taxpayers do have a right to \nknow what they get from their government. We will work \ntirelessly in partnership with citizen watchdogs, deliver the \nfacts to the American people, and bring genuine reform to the \nfederal bureaucracy. This is the mission of the Oversight and \nGovernment Reform Committee.\n    Today's hearing is focused on the purpose and design of the \nhuge information-sharing apparatus being constructed to \nimplement the Affordable Care Act. Therein, we'll examine who \nwill have access to sensitive personal information, who will \ncontribute data, how the government will protect this \ninformation, and why this information is necessary at all. We \nhave the unusual combination of the IRS and HHS in our panel \ntoday because to accomplish the legal requirements of the ACA, \nit must work together to combine data from millions of people \nto allow exchanges to verify the subsidies and manage the \nintricacies of the Affordable Care Act.\n    This is an oversight hearing on the implementation of the \nlaw as well as with Homeland Security. The people giving \ntestimony today did not write the law. They are only trying to \nmake this confusing system work, so we get that. So we'll have \na lot of questions back and forth today to be able to process \non how to get this accomplished. We are not going to try to \nhold you responsible for the origin of the law, but we will \nhave decisions about the variety of decisions that you have \nmade to prepare to implement and enforce the law.\n    The other large amount of information sharing raises the \nrisk of identity theft and other types of misuse. This risk is \neven more pronounced since the Department of Health and Human \nServices has missed several of their own self-imposed \ndeadlines, and we'll want to know where we are on that.\n    A document obtained for GAO revealed that as of April 2013, \nthe department had only completed 20 percent of its work to \nestablish appropriate privacy protections and capacity to \naccept, store, associate, and process documents from an \nindividual applicant. Today, we hope to hear about the progress \nof the other 80 percent of that work. Two weeks ago, Treasury \nannounced that they would delay the employer mandate until \n2015. Just days later, the administration released another 650 \npages of regulations that limited the degree of applicant \nverification required by exchanges during the first year of \nimplementation.\n    Instead of verifying, applicants will now be on the honor \nsystem for the subsidy. The potential for fraud and honest \nmistakes are multiplied since no one understands this law, the \nsubsidies standards, how the administration defines a qualified \nemployer health plan or a myriad of other issues.\n    While I believe that the employer mandate is a terrible \npublic policy that's already hurt hundreds of thousands of \nAmericans through fewer jobs or reduced work hours, the \nadministration cannot just rewrite the law on the fly. \nMoreover, because of the Rube Goldberg construction of \nObamacare, the delay in the employer mandate and refusal to do \nproper applicant verification means that the Federal Government \nwill waste billions of dollars next year subsidizing people's \nhealth insurance who are ineligible for coverage under the law.\n    The IRS has recently become highly politicized under this \nAdministration around the implementation of the ACA and the \nrights of people from all political perspectives to operate on \na nonprofit and in a nonprofit organization. After the passage \nof the ACA, the IRS Commissioner Shulman visited the White \nHouse over 100 times in a 2-year period to discuss Obamacare \nimplementation. Shulman's predecessor at IRS, Mark Everson, \nshared his concern at an Oversight Committee hearing last year \nabout the problem with the IRS being so deeply involved with \nObamacare and the serious threat this poses to the historic \nindependence of the IRS.\n    Sarah Hall Ingram has led IRS' implementation of the \nAffordable Care Act for 3 years. She was originally invited to \ntestify at this hearing. However, because she may be also \nintricately connected to the IRS' targeting of conservative \nnonprofit groups, I have accepted Acting IRS Commissioner \nWerfel's offer to testify in her place. There are many \nquestions and issues facing the IRS, but today's focus is on \nthe data hub and on data sharing that is required because of \nthe ACA. I welcome Commissioner Werfel's testimony today.\n    Marilyn Tavenner, administrator for CMS, finally, after a \nvery long process there as acting, is also here today to field \nquestions related to the Federal data hub. Hopefully, she's \nprepared to address specific concerns about the possible cyber-\nrelated attacks, as well as the recent AP story from last \nweekend that the uninsured could fall victim to fraud, identity \ntheft, or other crimes at the hands of some of the very people \nwho are supposed to help them enroll.\n    I welcome the attendance of all of our witnesses today, and \nwe'll spend time introducing everyone in the moments ahead.\n    With that, I would like to recognize the ranking member of \nOversight committee, Ms. Speier.\n    Ms. Speier. Mr. Chairman, thank you, and I thank you and \nChairman Meehan for calling today's important hearing, and I \nthank all of the witnesses for being here to participate.\n    The Affordable Care Act extends health insurance coverage \nto tens of millions and uninsured and underinsured Americans to \nhelp them obtain necessary medical care. Already, millions of \nAmericans have directly benefitted from the Affordable Care \nAct: 2.5 million young adults, my son being one of them, now \nhave health insurance on their parent's plan. The parents of \nover 17.6 million children with pre-existing conditions no \nlonger have to worry that their children will be denied \ncoverage. More than 32.5 million seniors have already received \none or more free preventative services, including the new \nannual wellness visit. Starting this October, millions more \nAmericans will be able to easily compare and choose affordable \nprivate health insurance plans for the first time when health \nexchanges open in every State. Many low-income applicants will \nqualify for subsidies. Those shopping for insurance will no \nlonger have to worry that they will be denied coverage because \nof a pre-existing condition or worry that one serious illness \nand hospital stay will exhaust their lifetime limits, leading \nthem to financial bankruptcy.\n    Some have speculated that Obamacare will not work or at \nleast that the October deadline might not be met. A June 2013 \nGAO report raised the issue of some missed deadlines but \nultimately concluded that implementation was feasible and on \ntrack. This is a welcome news, and I look forward to hearing \nfrom the GAO today on how the process is proceeding. I also \nwould like to know what impact sequestration has on the ability \nof those who are supposed to implement the Affordable Care Act \nare being frustrated.\n    GAO also determined that CMS has developed contingency \nplans to be ready for unexpected development so the exchanges \nwill be able to open on schedule in October. HHS has long \nexperience with complicated health systems involving sensitive \npersonal information, like Medicare, Medicaid and Medicare Part \nD. Getting the healthcare exchanges up and running is without a \ndoubt a highly complex undertaking, made more complicated by \nthe decisions of many States to have the Federal Government run \ntheir exchanges, and it is unlikely to be perfect out of the \ngate. But no major program has launched without a few hiccups.\n    I am pleased there are concrete plans to mitigate any \ndisruptions of the exchange system and to ensure the integrity \nof data hub communications between HHS, the IRS, DHS, and the \nSocial Security Administration, States that other agencies \ninvolved in determining applicants' eligibility. At the same \ntime, the scope of this new program requires that we ensure \nthat it is carried out in a way that protects the privacy and \nsecurity of those applying for insurance and prevents fraud by \nthose seeking subsidies.\n    The privacy of enrollee information is non-negotiable. \nLegitimate concerns have been raised about whether the security \nstructure of the data hub that CMS has put into place will be \nsufficient when the exchange is launched in October. Today, I \nhope to learn from these witnesses the actual details of \nefforts to ensure security and privacy in the data hub. I am \nencouraged by Ms. Tavenner's written statement debunking the \nnotion that in pursuit of access to care, we have to sacrifice \nprivacy. Such statements must be backed by action and all \nparties to the transaction must have the same commitment. Mere \npromises are not enough, but we should also listen to the facts \nand not pre-judge the efforts of thousands of dedicated Federal \nand State employees working to make this law a reality.\n    At the same time, I'm troubled by recent reports of the \nIRS' unintentional exposure of personal information submitted \nby organizations seeking tax exemption under section 527 of the \nIRC. I am pleased that the agency moved swiftly to correct the \nsituation when it was detected. Such privacy breaches are \nunacceptable and should not happen at all.\n    Lastly, Mr. Chairman, I am concerned by the efforts of some \nto sabotage the implementation of the Affordable Care Act by \nmaking sweeping allegations about the theoretical potential for \nfraud and other possible failings. I hope this hearing today is \nnot an attempt to do that. The purpose of this committee, as \nyou have pointed out in your opening statement, is to conduct \noversight of programs like the Affordable Care Act, to ensure \nthat it is carried out properly, and to uncover waste, fraud, \nand abuse.\n    I look forward to additional hearings over the next several \nyears once we see the program actually in operation. I also \nhope Congress will not deny the funding needed to ensure that \nthe exchanges and the data hub can operate in a safe and secure \nmanner. In fact, I hope to learn from our witnesses today how \nsequestration and budget cuts have impacted their ability to \nimplement the law and protect enrollees' privacy.\n    The Affordable Care Act is the law of the land. It has been \nupheld by the United States Supreme Court. Now, Congress' duty \nis to oversee its implementation, not to seek to delay it or \ncause it to fail in its mission.\n    Today's hearing is a distinct opportunity to address \nlegitimate concerns with those lead agencies charged with \nbringing the exchange system to fruition. I look forward to \ntheir testimony.\n    Mr. Lankford. I now recognize the chairman of the Homeland \nSecurity Subcommittee on Cybersecurity, Infrastructure \nProtection, and Security Technologies, Mr. Meehan.\n    Mr. Meehan. I thank the gentleman, and I thank the members \nof both committees who have participated in today's hearing.\n    I thank the witnesses for their presence today, and all the \nmembers of the Subcommittee on Cybersecurity, Infrastructure \nProtection, and Security Technologies.\n    This hearing comes at a critical time in implementing one \nof the key aspects of the President's healthcare law, the \nFederal data hub. It's not my intention to relitigate the \nAffordable Care Act at today's hearing but rather to provide \ncrucial oversight over the government's establishment of the \nFederal data hub. As a result of the Affordable Care Act, the \nDepartment of Health and Human Services is building an enormous \ndata-sharing network between State health insurance exchanges \nand numerous Federal agencies.\n    The purpose of the data-sharing hub is for the government \nto determine whether Americans who enter the exchange are \neligible to do so. As the chairman of the House Homeland \nSecurity Committee's Cybersecurity Subcommittee, we've looked \nextensively at the access to and management of personally \nidentifiable information by the Federal Government. I don't \nneed to explain to this committee or to our witnesses or to the \nAmerican public from where our concerns emanate. We've \nwitnessed all too recently how sensitive information can be \nmismanaged by the Federal Government. We have seen how cyber \nattacks from adversarial nations who seek to infiltrate our \ncountry's military and intelligence information have breached \nour most secure networks. We've watched--we have watched as \nthieves have stolen our top innovators' intellectual property. \nWe have witnessed America's financial services institutions \nsuccumb to barrages of attacks by those who wish to do our \nnation and our very life harm.\n    These are the institutions that have the best in the form \nof protections at this point in time. FBI Director Robert \nMueller said that the cyber threat will be the number one \nthreat to our country, a remarkable thing to be said. NSA \nDirector Keith Alexander called a loss of intellectual property \nthrough cyber espionage the greatest transfer of wealth in \nhistory. And Former Secretary of Defense Leon Panetta said the \ncyber attacks could shift from espionage to destruction, the \nvariability to get inside this network and to destroy the \nability for it to communicate at all if it is not a secure \nsystem. And the Director of National Intelligence, James \nClapper has said that potentially disruptive and even lethal \ntechnology continues to become easier to access and that we \nforesee a cyber environment in which emerging technologies are \ndeveloped and implemented before security responses can be put \nin place. This is the best of our systems.\n    I would like to see how this system is set up to protect \nagainst those kinds of threats. These are serious people that \nare talking about these issues. We've been charged with \nsecuring the most critical data in the world, and although no \none could certainly make the argument that the personally \nidentifiable information of millions of Americans is just as \ncritical and critical to our Nation's data security.\n    Javelin Strategy and Research felt that $12.6 million \nAmericans are victims of identity theft each year. And a \nFebruary 2000 study of the Center for Strategic and \nInternational Studies found that 85 percent of government and \nprivate sector network breaches took months to be discovered. \nPricewaterhouse estimates that one-third of breaches come from \nemployees. We are going to literally have thousands, 22,000 \nestimated alone, navigators just in the State of California.\n    With over 20 million Americans estimated to enter into the \nexchange over the next 5 years, this leads to the question, \nwhich I believe must be answered at today's hearings, Are you \nready? Does CMS have the tools in place to secure the \ninformation for over 20 million Americans? Who and how many \nwill have access to this information? How do we ensure \ncompetence in those who have access? I have grave concerns \nabout the ability to establish sufficient security in this \nmassive unprecedented network by October 1st--that's just 75 \ndays away--when our most secure networks are being breached \nevery single day. Every sector, every agency, every industry \nconcerned with security will tell you they are only as strong \nhas the weakest link. I hope that our panel today can allay \nsome of these concerns, but I fear that our government is about \nto embark in an overwhelming task that will at best carry an \nunfathomable price tag and at worse place targets on every \nAmerican who enters the exchange.\n    I look forward to hearing from you today, and I yield back \nmy time.\n    Mr. Lankford. Now recognize the chairman of the full \ncommittee for Oversight and Government Reform, Mr. Issa.\n    Mr. Issa. Thank you, Mr. Chairman, and thank you for \nholding this important hearing. As my colleague from \nCalifornia, Ms. Speier, said, Obamacare is the law of the land. \nWhat she didn't say is sequestration is the law of the land, \nand both were signed by this President. So my expectation is \nthat the President has to know that he has to live within the \nbudget he signed; he has to live within the funding he signed, \nthat the cost overruns that CBO now knows are in Obamacare--the \n``it's going to be balanced,'' to ``it's going to be nearly \nbalanced,'' to ``it's going to be a trillion dollar train \nwreck'' is coming, but that's not the subject today.\n    The subject today, quite frankly, is the privacy of the \nAmerican people and the accuracy of the data, and waste, fraud, \nand abuse. I have less confidence in today's hearing for only \none reason: A key witness, Sarah Hall Ingram, who has 3 years \nof full-time experience since the passage of the bill, in some \ninexplicable way finds herself unable to be here, while I'm \nuniquely offered her boss. And I appreciate the Commissioner \nbeing here, but that's unheard of.\n    Time and time again this committee has asked for Cabinet \nofficers, only to appropriately find somebody beneath that \nperson who is able to answer our questions, so today we are \ngoing to have the top boss in his 65 days and probably his 55th \nappearance on Capitol Hill to answer questions. And I \nappreciate his presence, and I'm not trying to belittle the \ntechnical staff with him. But it goes to the root of this is a \nprogram so grand and so great that it pales Medicare in its \nshadow, it pales Medicaid in its shadow, and that's what we're \ndealing with.\n    The data of every American potentially will be transferred \nor will be transferred. Now, let's understand that. It's not \nbeing transferred to one place. In the cyber world, you have to \nlook at every end tentacle. Somebody at some station, somewhere \nin Chico, California, is going to have an outlet to the \nCalifornia exchange that is going to ultimately be connected to \nthat data. So, although the IRS might be able to put the \ndatabase in an acceptable system and transfer it, who are they \ntransferring it to? Ms. Speier mentioned CMS. I think also the \nchairman mentioned it. CMS. Now, this committee has recent \nexperience. CMS is the organization that sent $15.5 billion to \nthe State of New York in compensation excess of Federal law. \nAnd then, when we approached them, they wanted to phase it out \nover time. Well, they were overpaying vast amounts of money to \nthe State of New York, to New York institutions owned and \noperated by the State.\n    That wasn't a long time ago. Mr. Chairman, that was this \nCongress. We still don't have that $15.5 billion, so when we \ntalk about waste, fraud, and abuse and we talk about the \ndisclosure of personal information, we are dealing where \ndisclosures that occurred under the IRS' watch under this \nPresident. We are dealing with waste, fraud, and abuse \nestimated by the inspector general to be greater than the \nArmy's budget. We lose more than the Army consumes in Medicare \nand Medicaid, so a program that's statutorily--and the \ngentlelady from California is right; the law is the law. The \nlaw says that we will not subsidize unless the State has an \nexchange. And yet, unilaterally, the President has proposed \nthat State After State who chose not to be part of it are to \nhave subsidies. So instead of having some States, we now will \nhave all the States. Those who chose to do it, will be \nsubsidized. Those who choose not to, out of thin air, without \nstatutory approval, there will be a Federal exchange that will \nthen be subsidized. Those are some of the things.\n    Now, the gentlelady from California is a friend and a \ncolleague, but we differ on some parts. She thinks that \nObamacare has done a lot already. I think that it has already \nrun up the cost of healthcare. And when the President \ndetermines, without statutory approval, that one portion will \nnot be implemented for an extra year, that on employers, \nbecause, of course, it's not ready, and yet he thinks that an \nindividual mandate and the standing up of exchanges and the \nforcing of every individual in America into a healthcare plan \nnot yet defined, with a database not yet secure, is okay?\n    I've got to tell them, I have doubts, not about if \nObamacare will some day be ready, if all the bugs can be worked \nout, but with no pilot and no consistency of the legislation to \nthe actual implementation, I've got to tell you, we are at \nleast a year further out on not just the President's slowdown \nbut on the entire program, and I think today we are going to \nsee exactly that, that the plans are there but the pilot and \ntest, and if you will, proof of concept being tested, with \nthose thousands or hundreds of thousands of terminal access \npoints that could be what the ranking--the chairman from \nHomeland Security said, that weak link needs to be tested. I \nlook forward to hearing all of the testimony and particularly \nthe questions as to the weakest link.\n    And I yield back.\n    Mr. Lankford. Thank you. All members will have 7 days to \nsubmit their opening statements for the record.\n    We will now recognize our panel.\n    Before I recognize each individual, I would like to ask \nunanimous consent that our colleague from Tennessee, Mrs. \nBlack, be allowed to participate in today's hearing.\n    Ms. Speier. Mr. Chairman, can I also request that the \nranking member from the Committee on Homeland Security \nsubcommittee, Ms. Yvette Clarke's statement be read--be added \nto the record as well.\n    Mr. Lankford. Absolutely, without objection, on both of \nthose.\n    So ordered.\n    Mr. Lankford. Mr. Alan Duncan is the assistant inspector \ngeneral for security and information technology services, the \nOffice Treasury Inspector General for Tax Administration.\n    Mr. Terence Milholland is the chief information officer for \nthe IRS.\n    Thanks for being here.\n    Mr. Danny Werfel is the principal deputy commissioner of \nthe Internal Revenue Service.\n    Mr. Werfel, how many hearings have you been in so far? The \nchairman had mentioned that.\n    Mr. Werfel. I think this is my sixth since arriving here.\n    Mr. Lankford. Only six. Okay. We have got to get you to the \ndouble digits faster.\n    Mr. Werfel. I have another one right after this one.\n    Mr. Lankford. Well, we will do our best on that.\n    Ms. Speier. We would like to--we would like for you to run \nthe IRS, though, too.\n    Mr. Werfel. I am doing that, too.\n    Mr. Lankford. Yeah. The Honorable Marilyn Tavenner is the \nadministrator for the Centers of Medicare and Medicaid \nServices.\n    Mr. Henry Chao is the deputy chief information officer and \ndeputy director of the Office of Information Services in the \nCenter for Medicare and Medicaid Services.\n    Thanks for being here.\n    Mr. John Dicken is the healthcare director for the U.S. \nGovernment Accountability Office.\n    Thank you as well.\n    Mr. Lankford. Pursuant to committee rules, all witnesses \nare sworn in before they testify.\n    Will you please stand, raise your right hands?\n    Do you solemnly swear or affirm that the testimony you are \nabout to give will be the truth, the whole truth and nothing \nbut the truth, so help you God?\n    Thank you. You may be seated.\n    Let the record reflect that all witnesses have answered in \nthe affirmative. In order to allow time for discussion, we \nwould ask you to limit your testimony to 5 minutes. I think all \nof you have been here before, some more recently than others, \nobviously. There is a clock that's in front of you to give you \na quite countdown. Your written statement is a part of the \nentire record, so we will give you 5 minutes of time here.\n    And Mr. Duncan, I think you get to be the lead off hitter \nin this one.\n\n                  STATEMENT OF ALAN R. DUNCAN\n\n    Mr. Duncan. Thank you.\n    Chairman Lankford, Chairman Meehan, Ranking Member Speier, \nRanking Member Clarke, the members of the--and other members of \nthe subcommittees, thank you for the opportunity to testify on \nthe Treasury inspector general for tax administration's views \nand observations on the Internal Revenue Service's information \ntechnology support for the Affordable Care Act, how tax \ninformation will be provided and the safeguards needed to \nprotect taxpayers' data.\n    The Affordable Care Act contains an extensive array of tax \nlaw changes that present many challenges for the IRS. The ACA \nwill require collaboration and coordination among many \norganizations. The IRS' role with respect to the ACA is to \nimplement and administer the ACA provisions that impact tax \nadministration\n    This requires developing and implementing computer programs \nthat support the State and Federal insurance exchanges and the \ncollection of taxes, fees, and penalties that would help fund \nthe ACA.\n    The IRS' 2014 budget request includes $440 million for \nimplementation of the ACA, the largest component of which is \n$306 million for the implementation of information technology \nsystems and communications. The ACA health insurance enrollment \nstarts in October 2013. The IRS will be receiving health \ninsurance related information starting in 2014 from many \nsources, including individuals, employers, insurance companies, \nand the health exchanges.\n    The information technology security challenges for the ACA \nare considerable and include implementation of interdependent \nprojects in a very short span of time, evolving requirements, \ncoordination with internal and external stakeholders, and cross \nagency system integration and testing. The IRS implementation \nplan for ACA exchange provisions include providing information \non eligibility, calculating the maximum advanced premium tax \ncredit and reconciling ACA tax credits with reportable income. \nThese provisions require the development of new systems, \nmodification of existing systems, new fraud detection systems, \nand the deployment of interagency communication portals.\n    The ACA health insurance enrollment process starts when an \napplicant applies at the exchange. To provide support for \nenrollment, the IRS has developed the income and family size \nverification application that will provide exchanges with an \napplicant's tax information. Our audit of this application \ndetermined that the project was on schedule and the IRS was \nmanaging knowing information technology risk. However, we do \nhave concerns that the Federal tax data provided to the \nexchanges may not be adequately protected in accordance with \nthe IRS' safeguards program.\n    To assist applicants in the exchanges with selection of the \nappropriate insurance premium, tax credits, the IRS also \ndeveloped the advanced premium tax credit application that will \ninform an applicant of the maximum amount of advanced insurance \npremium that they would be eligible to apply for.\n    In the 2015 tax filing season, the IRS will be responsible \nfor reconciling the advanced premium tax credit taken with \nactual income and family size during the tax year, which could \nresult in a refundable credit or additional tax liability. The \nIRS has developed a plan to prevent and detect fraud and abuse \nduring tax return processing that includes ACA transactions. \nTIGTA does have concerns that the new fraud prevention systems \nand/or modifications to existing fraud-detection systems may \nnot be operational in sufficient time to identify ACA-related \nfraud schemes. We believe the IRS needs to complete and embed \npredicted analytical ACA fraud models into the tax filing \nprocess prior to the start of the 2015 tax filing season.\n    The HHS and IRS have jointly developed an interagency test \nplan for the upcoming health insurance enrollment. We are \nconcerned that final integration testing for all the agency \nsystems, communications, and the Federal and State exchanges \nmay not be completed before the start of the enrollment period \nin 2013. The lack of adequate testing could result in \nsignificant delays and errors in accepting and processing ACA \napplications for health insurance coverage.\n    Because of the extensive changes to numerous Tax Code \nprovisions, concerns related to ACA systems and security and \nthe need for interagency coordination, TIGTA plans to continue \nstrategic oversight of evolving ACA implementations. Our plan \nrequires audit investigative resources to evaluate IRS' role in \nACA programs and the protection of taxpayer's data.\n    Chairman Lankford, Chairman Meehan, members of the \ncommittees, thank you for the invitation to appear.\n    Mr. Lankford. Thank you.\n    [Prepared statement of Mr. Duncan follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Lankford. Mr. Werfel.\n\n            STATEMENT OF THE HONORABLE DANIEL WERFEL\n\n    Mr. Werfel. Chairman Lankford, Chairman Meehan, Ranking \nMember Speier and Clark and members of subcommittees, thank you \nfor the opportunity to appear before you today to discuss the \nsystems being developed to facilitate information sharing among \nthe IRS, the Department of Health and Human Services and other \nFederal agencies as part of the Affordable Care Act.\n    The IRS has been working to implementing a number of tax-\nrelated provisions within the ACA. The most substantial of \nthese provides for premium assistance tax credits to help \nmillions of American families afford health insurance starting \nin 2014, when the new health insurance marketplace, also known \nas health insurance exchanges, will begin operating.\n    To properly administer ACA provisions, such as the premium \nassistance tax credit, the IRS, HHS, and other Federal agencies \nwill need to share individual's personal and financial \ninformation. For example, the marketplace will need Federal \ntaxpayer data to help verify individuals' eligibility for the \ntax credits. Upon request, the IRS will provide income, family \nsize, and filing status information from recent tax returns.\n    Separately, the IRS will provide a support service to \ncompute a maximum advanced premium credit based upon inputs \nfrom the marketplace. The ACA designates HHS as the conduit for \ninformation being shared with the marketplace. The taxpayer \ndata supplied by the IRS will be transmitted over secure \nencrypted channels through the HHS data hub, which was \ndeveloped to facilitate these data transfers. Our ability to \nshare data with HHS is being brought about through new systems \nand services that our information technology division has been \ndeveloping.\n    We are on target to have these systems ready when open \nenrollment in the marketplace starts on October 1 of this year. \nLast month, we completed systems development and also finished \ninteragency testing with HHS and the Centers for Medicare and \nMedicaid Services. Performance testing of these systems will \ncontinue through the summer.\n    It is important to note that information sharing under the \nACA will be done against the backdrop of very strong \nconfidentiality protections that have been long part of the tax \nlaws. In general, section 6103 of the Internal Revenue Code \nprohibits the IRS from sharing tax return data with anyone \noutside the agency. Over the years, however, Congress has \ncreated a series of narrow exceptions to the restrictions in \nsection 6103.\n    For example, the IRS is permitted to disclose tax return \ninformation to other Federal agencies and to State tax \nauthorities to facilitate efficient tax administration. The ACA \nprovides a specific exception to section 6103 for information \nsharing activities that the IRS will perform under the statute. \nThe IRS is already well positioned to ensure the safety and \nsecurity of the data being shared under the ACA, given the \nlongstanding experience we have in overseeing the transmission \nof data to Federal and State agencies.\n    The IRS office of safeguards has the responsibility for \nmonitoring the nearly 300 Federal and State agencies that \ncurrently are permitted to receive tax return data to ensure \nthey are complying with strict safeguarding requirements we \nimpose on them.\n    To prepare for data sharing under the ACA, the IRS has been \ncollaborating with HHS and other agencies on the processes and \nwritten agreements needed to protect personal information, \nincluding tax return data. Among our collaborative efforts, the \nIRS and HHS have entered into a computer matching agreement or \nCMA, which details the operations of the data exchanges and \nvarious disclosure restrictions and other requirements.\n    Just this week, the CMA was signed by both agencies and \ntransmitted to the Treasury Data Integrity Board for approval. \nAfter approval by Treasury and HHS, it will be transmitted to \nCongress for the required notice period and be effective when \nopen enrollment begins on October 1.\n    The IRS is subjecting the health insurance marketplace and \nState agencies seeking tax return data under the ACA to \nsignificant data protection requirements. Before one of these \nentities can obtain tax return information, it must submit a \nSafeguard Procedures Report, or SPR to the IRS for its \napproval. This report details the steps that the entity has \nestablished or plans to take to protect the confidentiality of \nthe tax records it will be handling.\n    Taxpayer data will be withheld from entities that fail to \nestablish adequate safeguards. The IRS will provide a list of \nentities with approved SPRs to HHS by October 1. Going forward, \nwe will provide ongoing oversight to ensure that all entities \ninvolved in data sharing continue to meet the safeguarding \nrequirements.\n    Chairman Lankford, Chairman Meehan, and Ranking Member \nSpeier and Clarke, that concludes my statement. I would be \nhappy to take your questions.\n    [Prepared statement of Mr. Werfel follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Lankford. Ms. Tavenner.\n\n         STATEMENT OF THE HONORABLE MARILYN B. TAVENNER\n\n    Ms. Tavenner. Good morning, Chairman Lankford\n    Mr. Lankford. We need to get you button on there so we can \nall hear you.\n    Ms. Tavenner. Thank you. Good morning. I would like to \nthank you for the opportunity to discuss the Center for \nMedicare and Medicaid Service's progress in implementing the IT \nsystems in support of the new health insurance marketplace.\n    Since the passage of the Affordable Care Act, CMS has been \nhard at work designing, building, and testing secure systems \nthat ensure Americans are able to enroll in affordable health \ncoverage. I want to assure you that October 1, 2013, the health \ninsurance marketplace will be open for business. Consumers will \nbe able to log onto healthcare.gov, fill out an application and \nfind out what coverage and benefits they qualify for.\n    I also want to assure you and all Americans that when they \nfill out their marketplace application, they can trust that the \ninformation they are providing is protected through the highest \nprivacy standards, and the technology underlying this \napplication process has been tested and is secure.\n    I want to quickly walk you through what we're building, how \nit works and what data we are storing. I know there has been \nsome confusion about the marketplace, its IT system and how \ndata will be used. I want to make two points clear.\n    First, while the marketplace application asks for some \npersonal information, such as name, address, Social Security \nnumber, and date of birth, the marketplace application never \nasks for personal health information and the marketplace IT \nsystems will never access or store personal health information \nbeyond that which is routinely used when applying for Medicaid.\n    Second, CMS prioritizes the privacy and security of \napplicant's data. CMS designed the marketplace IT system in a \nway to minimize all possible security vulnerability, and we \nespecially focused on storing the minimum amount of personal \ndata possible. With that clear, let's move to the first \nquestion people often ask. What is it that we are building?\n    The Affordable Care Act directs States to establish State-\nbased marketplaces by January 1 of 2014. In States electing not \nto establish such a marketplace, the Affordable Care Act \nrequires that the Federal Government establish and operate a \nmarketplace in the State which is frequently referred to as the \nFederally Facilitated Marketplace. This marketplace will \nprovide consumers access to healthcare coverage through private \nqualified health plans, and consumers seeking financial \nassistance may qualify for insurance affordability programs \nthrough the marketplace such as tax credits.\n    In order to enroll in an insurance affordability program \nthrough the marketplace, individuals must complete an \napplication and meet certain eligibility requirements. To \nfulfill these functions, Federally Facilitated and State-based \nmarketplaces are developing eligibility, redetermination and \nappeals IT systems. These IT systems are similar to what \nprivate issuers, Medicare Advantage issuers, and State Medicaid \nagencies currently use to carry out the same functions. Because \nthese IT systems that perform the basic functions of the \nmarketplace, CMS is developing a tool, which is known as the \nFederal Data Services Hub, which provides the electronic \nconnection between the eligibility systems of the marketplace \nto already existing secure Federal and State databases to \nverify that information is correct, and that consumer provides \nin the marketplace application.\n    It is important to understand that the hub is not a \ndatabase. It does not retain or store information. It is a \nrouting tool that can validate applicant information from \nvarious trusted government databases through secure networks. \nIt allows the marketplace, Medicaid and CHIP systems to query \ngovernment databases used today. The hub will only query the \ndatabases necessary to determine eligibility for specific \napplicants. The hub increases by efficiency and security by \neliminating the need for each marketplace, each Medicaid agency \nand each CHIP agency to set up separate data connections to \neach database. We know that vulnerability increases when the \nnumber of connections to a database increase. That's why we \ncreated the hub. The hub provides one highly secured connection \nto trusted Federal and State partners' databases used today \ninstead of requiring each agency to set up what would have \namounted to hundreds of different connections.\n    We have completed development in the majority of the \ntesting of the hub services. All testing for the hub will be \ncompleted by the end of August. And with that, I'll conclude \nand be happy to answer any questions.\n    Mr. Lankford. Thank you.\n    [Prepared statement of Ms. Tavenner follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Lankford. Mr. Dicken.\n\n                    STATEMENT OF JOHN DICKEN\n\n    Mr. Dicken. Good morning, Mr. Chairman, ranking members and \nmembers of subcommittees, I am pleased to be here today to \ndiscuss issues with data systems that will be a critical \ncomponent of the new health insurance exchanges. As you have \nheard this morning, starting in October, health insurance \nexchange in each State will provide new marketplaces where \neligible individuals can compare and select health plans.\n    To support the exchange's efforts to determine applicant's \neligibility to enroll, CMS is building a tool called the \nFederal Data Services Hub. This data hub is intended to provide \none electronic connection to Federal sources for near realtime \ndate access to data, as well as to provide access to State and \nother data sources needed to verify consumers' application \ninformation. Several million Americans are expected to enroll \nin qualified health plans offered through the exchanges, once \ncoverage begins in 2014.\n    My comments today highlight key findings from a report that \nGAO issued last month on the status of CMS' efforts to \nestablish Federally Facilitated Exchanges in 34 States and to \nestablish the data hub to support exchanges in all States. \nThese findings are based in large part on our review of \nplanning documents that CMS used to track Federal and State \nactivities, including the development and implementation of the \ndata hub, as well as interviews with CMS officials.\n    In brief, CMS has completed many activities necessary to \nestablish Federally Facilitated Exchanges by October 1st, \nalthough many activities remain to be completed and some were \nbehind schedule. As examples of progress made, CMS has issued \nnumerous regulations and guidance and taken steps to establish \nprocesses and data systems necessary to operate the exchanges. \nBut the exchange's ability to effectively carry out eligibility \ndetermination and enrollment activities on October 1st will be \ndependent on CMS' successful implementation of the data hub. \nCMS is expected to complete development and testing of the \ninformation secure technology systems necessary for the data \nhub by October 1st, as Administrator Tavenner just indicated. \nCMS began both internal and external testing for the data hub \nin October of last year as planned.\n    According to program officials and our review of project \nschedules, CMS established milestones that aimed to complete \nthe development of required data hub functionality by this \nmonth and for full implementation and operational readiness by \nSeptember. Additionally, CMS has begun to establish the \nrequired technical security and data-sharing agreements with \nfederal partner agencies and States.\n    While CMS data does, thus far, met project schedules and \nmilestones for establishing agreements and developing the data \nhub, at the time of our report, several critical tasks remained \nto be completed before the October 1st implementation. These \nincluded finalizing service level agreements between CMS, the \nStates and Federal partner agencies in completing external \ntesting with all Federal partner agencies in all States.\n    In conclusion, Federally Facilitated Exchanges in the \nfederal data services hub are central to the goals under the \nPatient Protection and Affordable Care Act of having health \ninsurance exchanges operating in each State by 2014 and of \nproviding a single point of access to the health insurance \nmarket for individuals. Their development has been a complex \nundertaking involving the coordinated actions of multiple \nFederal, State and private stakeholders. It has also required \nthe creation of an information system to support connectivity \nand near realtime data sharing between exchanges and multiple \nFederal and State agencies.\n    Much progress has been made; nevertheless, much remains to \nbe accomplished within a relatively short amount of time. CMS' \ntime lines provide a roadmap to completion of the required \nactivities by the start of enrollment on October 1st. However, \nthe large number of activities remaining to performed, some \nclose to the start of enrollment, suggests a potential for \nchallenges going forward. And while the interim deadlines \nmissed thus far may not affect implementation, additional \nmissed deadlines closer to the start of enrollment could do so.\n    At the time of our report, CMS had recently completed risk \nassessments and plans for mitigating identified risks \nassociated with the data hub and was also working on strategies \nin each State to address State preparedness contingencies. \nWhether this contingency planning will assure the timely and \nsmooth implementation of exchanges by October 2013 cannot yet \nbe determined.\n    Mr. Chairman and ranking minority members, this concludes \nmy statement, and I'll be pleased to answer any questions that \nyou or other members of the subcommittee may have.\n    Mr. Lankford. Thank you.\n    [Prepared statement of Mr. Dicken follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Lankford. And thank you, all of you, for your \ntestimony.\n    Can anyone state to me the section of the ACA that outlines \nthe data hub? So, this massive undertaking started from what \nwithin the law? Because it is a massive piece, obviously. I'm \njust trying to figure out what part of the law mandates that \nthis data hub be created, that this is the particular vehicle \nto solve the problem?\n    Mr. Milholland. Mr. Chairman, I will take a cut at that. \nIt's the requirement to exchange information between agencies. \nWe had to find a way that would easily work to connect to the \nIRS and particularly HHS and then subsequently to the \nexchanges, also to other government agencies. When we did the \narchitecture and design in collaboration with HHS and the other \npartners, we realized that the simplest design, the one that \nwould make it more likely that we would implement on time, was \na hub concept.\n    Mr. Lankford. So you're saying that there's a statement \nwithin the law that requires communication between the \nagencies. Is this also requiring communication to the exchanges \nas well?\n    Mr. Milholland. I will let HHS answer that specifically, \nbut I believe the answer is yes.\n    Mr. Lankford. Okay. Does anyone know on the section of law \nwhere this comes from?\n    Mr. Chao. I don't--I don't believe it's in any section of \nthe law. I think, you know, as Terry said, we've been working \ntogether on the most efficient implementation of the \nrequirement that is in the law for information sharing between \nFederal agencies that are used to verify data on applications \nof people who are applying for----\n    Mr. Lankford. Okay. So there is a section that requires \ncommunication verification on it. How much does--does anyone \nknow the total cost of the hub at this point? I mean, we've got \ntwo contractors that are working on it. Every agency has now \nstarted engaging. We have all these agreements for computer \nmatching. Every State is also engaging in it, so we've got a \nline that's in the law, someone says we need to verify, how \nmuch has this cost.\n    Mr. Chao. I think that there are several line items within \nthe hub, but the total picture, as GAO reported, is about $394 \nmillion that CMS has budgeted and obligated for the various \ncontracts to build the capabilities for the marketplace.\n    Mr. Lankford. Okay. And then we've got several different \npieces here. We have the data hub, obviously connecting all the \nagencies there where you're saying information is not stored at \nthe data hub.\n    Mr. Dicken referred to it's almost done in realtime, I \nbelieve, was the statement that was made there. Is it really \nrealtime that's done or are we batching all these reports?\n    Mr. Chao. The vast majority of the design is for realtime \nresponses and realtime requests to get the data.\n    Mr. Lankford. So, exchange hits the hub, makes the query, \ncomes back seconds later, or does it come back hours later? \nThat's what I'm trying to figure out on it, the batch schedule \nhere.\n    Mr. Chao. The service levels agreement, for example, with \nIRS is between 5 and 8 seconds\n    Mr. Lankford. Okay. That's terrific. What about the caching \nof information. So when the request is made, how long is the \ncache to be able to hold on to that information as it's going \nthrough the process?\n    Mr. Chao. The ``caching,'' and I put quotes around that, is \nkind of loosely used. When an individual is applying for the \nmarketplace and they begin to enroll or request enrollment via \nthe online application, they can pause and save that \napplication into what we call a ``My Account,'' and that's on \nthe marketplace system side.\n    Mr. Lankford. Okay. So, that is stored information. So, in \nthe data hub, you're saying, the caching is the best way to do \nit is over here, so how long is the cache in the data hub \nsection of it?\n    Mr. Chao. It is a consumer--when it comes to the \napplication and their data, it is a consumer-elected, quote-\nunquote, ``caching'' of information saved in their ``My \nAccount.'' In the hub, the time to live is very short. If there \nis no question and response match, that data is then removed.\n    Mr. Lankford. So you're talking 10 minutes, 20 minutes, an \nhour, somewhere through there?\n    Mr. Chao. Within minutes.\n    Mr. Lankford. Okay. All right. Then let's go on the other--\non the consumer side, where you're saying--talking about ``My \nAccount'' because that is where stored data is located. Give me \nexamples of some of the fields.\n    Ms. Tavenner, you mentioned a couple of those, Social \nSecurity, birthdays and such. What are some of the other fields \nthat are there?\n    Mr. Chao. Names of household members, address, the \nrequirement to supply valid Social Security numbers.\n    Mr. Lankford. Ethnicity, is that included as well?\n    Mr. Chao. I believe there are race and ethnicity----\n    Mr. Lankford. Okay. So, home address. Is there a phone \nnumber that's included in that?\n    Mr. Chao. Yes.\n    Mr. Lankford. Email address?\n    Mr. Chao. Yes, contact information.\n    Mr. Lankford. All of the--does it have the questions about \nemployer-sponsored coverage, is that included in that part as \nwell?\n    Mr. Chao. Yes.\n    Mr. Lankford. Just questions about some of the background \non it. Veteran status?\n    Mr. Chao. Yes.\n    Mr. Lankford. So, family members, you mentioned that. Does \nit just list out family members or list out the details of the \nfamily members?\n    Mr. Chao. It--I think when we examined verification and \ndetermination of eligibility for premium tax credits with--in \nconjunction with IRS and also examined Medicaid and CHIP \neligibility, there are some information that's used for \ndifferent programs.\n    Mr. Lankford. Okay. Let me run through several here. Indian \ntribe?\n    Mr. Chao. Yes.\n    Mr. Lankford. Tribal member is listed there.\n    Mr. Chao. Yes.\n    Mr. Lankford. Pregnant, would that be a question that would \nbe asked or----\n    Mr. Chao. It depends on a series of what we call a pattern \nof answers that would indicate that that might be a question \nassociated with----\n    Mr. Lankford. Obviously, ``female'' would be one of those, \nI would assume, in that pattern?\n    Mr. Chao. I would think so, but it could be a household \nmember that is not the applicant, but that's mostly used for--\n--\n    Mr. Lankford. But that is a possibility that's in there. \nApplicant income, request of that?\n    Mr. Chao. Yes.\n    Mr. Lankford. Disabled, would that be listed as part of it?\n    Mr. Chao. Disability, no.\n    Mr. Lankford. Okay. All right. So that this information is \ngathered and it's stored how long?\n    Mr. Chao. For--once the enrollment is established, you \nknow, via the ``My Account.''\n    Mr. Lankford. So the ``My Account'' is set up, that \ninformation stored in that section, stored how long?\n    Mr. Chao. It is stored for as long as the person is seeking \naccess to affordable care and wants to enroll via the \nmarketplace.\n    Mr. Lankford. Okay. We'll have a lot of questions for you. \nI want to be able to honor everyone's time in the day on this, \nbut I want to just set some basic parameters of what we're \ntalking about, because we are really talking about two \ndifferent systems. Data hub may not store anything, but we do \nhave a data system that is storing large amounts of information \nas well, and so we'll have to be clear as we walk through it \nand try to make sure that we're using correct terms as we walk \nthrough it; is that okay?\n    Okay. Ms. Speier.\n    Ms. Speier. Mr. Chairman, thank you.\n    And thank you again to all the witnesses.\n    Three issues, privacy, security, fraud, that's what we're \nfocussing on today.\n    Let me start with Mr. Werfel and ask you a question about \nprivacy.\n    Given the number of different agencies involved, what \nmeasures has the IRS implemented to guarantee that sensitive \ntaxpayer information is protected when it enters the data hub?\n    Mr. Werfel. Thank you for the question. We, as I mentioned \nin my opening statement, we have a longstanding process because \nthe Tax Code has previously allowed for, in certain situations, \nthe IRS to share taxpayer information to Federal and State \nagencies, so over time, we built a very robust process that \nwe're leveraging for the manner in which we'll share \ninformation under the ACA, which created a new exception under \nthe Tax Code.\n    That process is anchored around what we call a safeguard \nprocedures report, and essentially, if you are to receive \ntaxpayer information from the IRS, then you have to have an \napproved safeguard procedures report in place that IRS--and \nit's a very robust set of requirements. IRS reviews and \napproves that procedures report, or SPR, and then we monitor \nand do like on-site visiting to make sure that they are \ncomplying with those procedures that they outline. They deal \nwith things like recordkeeping, restricted access, employee \nawareness about the sensitivity of the information, internal \ninspections to make sure that the procedures that are in place \nare robust, disposal of records when they are no longer needed, \nmaking sure that only those records that are needed--that are \nused are needed.\n    So, it's a--you know, we have, as an example, just to give \nyou a sense of how robust it is, just a template for what a \nState agency or Federal agency or the hub, in this case would, \nneed to fill out is 61 pages, and that's just a template of \nwhat's required.\n    So, really, we have a very robust set of requirements that \nare well battle tested over the years. We go through a robust \nprocess to review it and then we do on-site monitoring to make \nsure that the agency involved, whether it's the hub or a State \nagency or another Federal agency are making good on their \ncommitments.\n    Ms. Speier. Is there any penalty if they somehow have it \nbreached?\n    Mr. Werfel. Well, there are ongoing reviews that are done \nby the inspector general as an example. There can be severe \npenalties for willful breaches. What the inspector general, I \ncan let Mr. Duncan speak to that, usually do is determine \nwhether the breach was inadvertent or willful, and if it's \ninadvertent, then they would issue some type of report that \nwould establish new sets of requirements that we may need to do \nto make sure that such inadvertent disclosures don't occur \nagain. If it's willful, they may refer to the Justice \nDepartment for potential prosecution. It just depends on the \ncircumstances.\n    Ms. Speier. Okay. Now, I'm going to jump first to fraud and \nthen come back to security because in my mind, security is the \nissue here. In terms of fraud, the chairman had referenced that \nthere is, in effect, an honor system in place, and while that \nmay be the case, because you're self-attesting it to, it's an \nhonor system with consequences, is it not? If, in fact, you say \nyou make $40,000 a year and are eligible for a premium credit, \nwhen it comes tax time the following year, if you really made \n$150,000, that subsidy has to be returned to the coffers of the \nU.S. taxpayers; is that not true?\n    Mr. Werfel. Generally. If I could have a second to explain.\n    So a couple of important things about the fraud and error \nrisk associated with the ACA.\n    First, what's happening when the individual enters the \nmarketplace and seeks a premium tax credit, the system is set \nup so that any funds that they may be eligible or not eligible \nfor because they're trying to defraud the system don't go to \nthe individual. They go to the insurer.\n    So the individual can try to penetrate the system and gain \nmoney, but they're not going to get money. The money is going \nto be sent to the insurers.\n    Ms. Speier. They're going to get health care.\n    Mr. Werfel. They're going to get health care. And they \nmight get more affordable health care than they're otherwise \neligible for.\n    And at the back end, when they're reconciling, it may be \nthat they were eligible for too much when we see what their \nactual income is when they file their taxes, and then they'll \nowe potentially some more money.\n    It may be that we didn't determine that they were eligible \nfor enough. But what that will mean in that case is they have \nbeen paying into this process, to the exchange, too much money \nthan they should have, so we're only reimbursing them the cash \nthat they've already paid in.\n    Now, there is----\n    Ms. Speier. I'm running out of time, and I want to get--\nthank you--to the more critical issue.\n    I believe that the hub has a bull's eye on it and that the \npotential for it being hacked is great. And while there's been \ntesting that has been undertaken, does ``testing'' mean that \nwe've allowed, you know, high school computer science whizzes \nto try and hack into the system?\n    Mr. Chao. No, Congresswoman. The testing involves security \nprofessionals with predefined security protocols that are \nembedded and automated procedures that, for example, to try to \npenetrate the system and to emulate a potential hacker, as well \nas it scans for poor quality of code development with big holes \nin it so that people can actually infiltrate the system.\n    And it also includes examining audit procedures and the \nability to log access to the system and provide the \ntraceabilities that auditors need in order to see who has been \naccessing what data with the right--with the correct roles and \npermissions.\n    Ms. Speier. My time has expired.\n    Thank you, Mr. Chairman.\n    Mr. Lankford. Mr. Meehan?\n    Mr. Meehan. Thank you, Mr. Chairman.\n    And I want to jump off of what the gentlelady from \nCalifornia said about this being--looking at it from the \nsecurity perspective, and also to talk about it from the \nperspective of what the chairman said.\n    And this is not a partisan effort to try to go put you on \nthe spot. And I also appreciate that you are the people who \nhave been trying to implement this.\n    But I also have grave, grave concerns about the scope of \ninformation that is being put together by this system that you \nput together because, you know, it was required just to make it \nwork. And I've been struck by the observations of numbers of \npeople who are outside the organization, as well.\n    So I know you, Ms. Tavenner, have discussed that you are \ntrying to take the minimal amount of information that is \nnecessary. But what is necessary to make the system work has \nbeen discussed by Stephen Parente of University of Minnesota, \nwho studied perhaps the largest consolidation of personal data \nin the history of the Republic. Do you dispute that?\n    Ms. Tavenner. One thing I would remind the committee is \nthat, currently, we are used to storing and having personal \ninformation on large numbers of individuals, such as in the \nMedicare program, in the Part D program. We take it very \nseriously, and we go through the highest security and privacy \nprotections.\n    Mr. Meehan. I know you take it seriously. The question is \nwhether you're prepared to have this information protected \nagainst the kind of and scope of probes that are taking place \nin the real world today.\n    I'm going to read some observations from some people who, \nyou know--``This national insurance exchange system will be the \nlargest IT system ever created in our history, and they're not \nsure how it will work, and they cannot assure the security of \nthis very private data. They are extensive government data-\nsharing systems that lack information security and offer easy \naccess to hackers, identity thieves, and others interested in \nsurreptitiously gaining access to private information.'' This \nwas Twila Brase from the Citizens' Council for Health Freedom.\n    ``Nothing like this has ever been done to this complexity \nor scale and with a timeline that puts it behind schedule \nalmost before the ink was dry.'' This was Rick Howard, who has \nan advisory firm, the Gartner firm.\n    This is Jim Spatz, a senior advisor at Manatt Health \nSolutions: ``As crunch time is coming, they're just muddling \nthrough and figuring out shortcuts. It might not be elegant, \nbut this is how they're trying to make the law work.''\n    These are the observations of some of the people who are \noutside the system observing it. Are they accurate?\n    Mr. Chao. Congressman, I would refute that to say ``no,'' \nbecause CMS has vast experience--for example, there are nearly \n50 million Medicare beneficiaries, and we have databases and \nsystems that operate in an architectural and technical pattern \nvery similar to what the marketplace requires, including, you \nknow, application for enrollment, processing eligibility \nverifications, checking various sources of data, allowing for \npeople to come back in to report life-changing circumstances, \nworking with SSA to remove them when we receive a date-of-death \nnotice.\n    I think all these operations at a very, very super-scale \nlevel in health care, CMS has applied this experience to the \nmarketplace program.\n    Mr. Meehan. Would you--I understand what you're trying to \ndo at CMS. Are you aware of what's going on today, Quantum Data \n2, the testing thing that's being done right now on Wall Street \ntoday by the major New York banks?\n    Mr. Chao. No, I'm not.\n    Mr. Meehan. Do you think that your system is more or less \nsecure than that that is being put together by the best banks \nin the United States?\n    Mr. Chao. I really can't speak to that because I'm not \naware of what they're doing.\n    Mr. Meehan. Well, they're walking through, as we speak, \nwith regard to the ability to--that their recognition that they \nare, in effect, being so remarkably challenged by the ability \nof complex networks, be they criminal, be they state-oriented, \nbe they otherwise, to get into information systems that they \nhave responsibility over.\n    And I'm not sure that I'm aware of any system that has more \npersonally identifying information than your system currently. \nAnd the question is the degree to which we're capable of being \nable to protect those systems.\n    My time has expired, but I'm looking forward to following \nup specifically on some of the questions with regard to that.\n    Ms. Tavenner, do you have a comment?\n    Ms. Tavenner. The comment I would make is that there \ncertainly is a lot of speculation out there about what's going \non inside CMS. And what I know is that the process that we are \nfollowing, we are used to working--we have lots of experience \nwith working with big data sets.\n    And we are following, going back to the Privacy Act of \n1974, moving forward, to make sure that we have the highest \ndegree of security and privacy protection. And we are on \nschedule to get that done----\n    Mr. Meehan. Do you know, what is the highest degree of \nsecurity protection? Do you know, yourself, what that is?\n    Ms. Tavenner. So I know, working with the team, that we \nstart with certain standards that are required by the \ngovernment, and we follow those standards completely and \nthoroughly. And then we have a continuous monitoring process, \nwe have a continuous training process----\n    Mr. Meehan. Ms. Tavenner, let me ask a question. When was \nthe last time that you have sat in on a secure briefing by the \nFBI or the Department of Homeland Security giving you the \ncurrent state of the cyber threat to data systems in the United \nStates?\n    Ms. Tavenner. I don't know that I've sat in on an FBI \nbriefing. We certainly have briefings inside HHS, and I did \nsit----\n    Mr. Meehan. But no, no, no. I asked you a specific \nquestion. The two agencies that have the specific \nresponsibility to understand the scope and nature of the \nthreat--are you telling me that you are the person who is \nresponsible for putting together what may be the biggest data \nsystem of private information in the history of the United \nStates, according to testimony of numbers of people, and you \nhave never been to a secure briefing by the FBI or Homeland \nSecurity about the current nature of the threat to data \nsystems?\n    Ms. Tavenner. And I am telling you that I have been to a \nsecure briefing.\n    Mr. Meehan. With whom? By HHS or FBI?\n    Ms. Tavenner. With HHS.\n    Mr. Meehan. Well, but that is not Homeland Security, is it?\n    Ms. Tavenner. No, sir.\n    Mr. Meehan. No, it is not, nor is it the FBI, who are the \ntwo responsible for understanding the nature of the threat.\n    I will pursue my questioning. Thank you, Mr. Chairman.\n    Mr. Lankford. Ms. Clarke?\n    Ms. Clarke. Let me thank you, Chairman Lankford, Chairman \nMeehan, and thank Ranking Member Jackie Speier for submitting \nmy testimony to the record.\n    And thank you, witnesses, for your testimony here this \nmorning.\n    My first question will go to Mr. John Dicken.\n    Your report on the development of the Affordable Care Act \ndata hub is the first of its kind for these healthcare \nprograms, which means we are still learning about how to go \nabout assessing the progress of the effort. You noted that 15 \nof the 34 States where Federal health officials are running the \nexchanges will play some role in their operation, and this is a \ngood sign.\n    With about 7 million citizens expected to enroll in \nhealthcare plans, would you tell us first about the key \nmilestones that have been met and the plateaus that have been \nreached in such a massive undertaking?\n    Mr. Dicken. Thank you, Ranking Member Clarke.\n    You are right that our report did look at two of the key \nmilestones that have been met. We issued our report last month \nand highlighted some of the progress that has been made--\nnotably, issuing key regulations and guidance that are \nnecessary for establishing the exchanges and the data hub; \nestablishing, building, and developing and implementing some of \nthe data systems that are necessary; and beginning some of the \nprocess for testing that is still ongoing.\n    Since our report came out last month, there have been some \nother public milestones that have been met. I know that CMS has \nrelaunched the healthcare.gov website.\n    There are still a number of big challenges remaining, \nthough. Our report does highlight that there are still a number \nof key milestones that do need to be met before October 1st and \nthe open enrollment.\n    Ms. Clarke. I would like to also hear from agency staff \npresent about what milestones they feel have been reached and \nhow they see their progress.\n    Mr. Chao. For CMS, we manage and administer the majority of \nthe testing with the key business partners, which are the \nissuers or insurance companies that offer qualified health \nplans in the marketplace. We began testing with them in June \nextensively and stepping into greater and greater iterations of \nmore complex testing that involved enrollment that are \norchestrated with the issuers and their ability to receive an \nenrollment transaction and an acknowledgment and, finally, into \na payment and a payment acknowledgment.\n    The States we have been testing extensively since February, \nso those have been major milestones. Starting this week, we \nhave conducted the testing in waves, and States have been \ncoming in in various waves. You know, one through four is what \nwe categorize it, with four being the vast majority of the more \ncomplex testing with the hub primarily and the ability to \nreceive information when a federally facilitated marketplace is \ndetecting the potential for Medicaid and CHIP eligibility.\n    That testing in the fourth wave began this week, and we \nhave 40 States participating. And when the 40 States are \ntesting with us, we will have all the States that have done \nsome level of testing with us, with the 40 probably being the \nvast majority between now and August.\n    Ms. Clarke. Does anyone have anything else to add?\n    Mr. Werfel. I would just add to that from the IRS \nperspective. We also, similarly to HHS, are on schedule. We \nhave a variety of information technology builds and upgrades \nthat are necessary to meet the information-sharing requirements \nwithin the ACA, and that we're generally on target with respect \nto all of those milestones. And we have a very high degree of \nconfidence of readiness when October 1 hits and the open season \nenrollment begins.\n    Ms. Clarke. Well, that sounds good.\n    Let me go on and ask, can you update us on the Federal Data \nServices Hub testing activities, including the list of tests, \nwhich agency and stakeholder tested the data hub in each event, \nthe results of each test, and when the testing will be \ncomplete?\n    Mr. Chao. We certainly can do that. I can generally run \nthrough right now in just a few minutes. But I think, working \nwith GAO and other folks that want to come in and take a deep \nlook at the range and depth of our testing by testing partner, \nwe can certainly provide that information. It is available.\n    The testing that will occur in the next 70-plus days or so \nis largely looking at what was mentioned earlier as integration \ntesting. Some folks like to use the term ``end-to-end \ntesting,'' as if there is just this one giant thread from start \nto finish of all these complex processes that have to, in \nessence, have a handshake to move this data and respond to data \nin order to fulfill the request for enrollment.\n    We are taking segments of that or hops of that process and \ntesting the integration, for example, between IRS and the data \nhub, the data hub with the marketplace systems, and the \nmarketplace systems with the issuers.\n    So that's just a very, very high-level example of how we \nbreak down that integration testing into those hops and to look \nat the interfaces and the data flows that are necessary to \nsupport that business process.\n    Ms. Clarke. Thank you. And if you could submit to the \ncommittee just a little detailed testing arrangements, that \nwould be something that we'd like to have.\n    Mr. Chao. We can certainly do that.\n    Ms. Clarke. Thank you.\n    Mr. Chairman, I will yield back.\n    Mr. Lankford. Thank you.\n    I recognize the chairman of the full Committee on \nOversight, Mr. Issa.\n    Oh, he's not here right now. He had to slip out.\n    Mr. Jordan?\n    Mr. Jordan. I thank the chairman.\n    Mr. Werfel, we've been given two titles for this \nindividual. We've been given the title Project Manager for the \nAffordable Care Act and Director of the IRS's Affordable Care \nAct Office. Who is that individual?\n    Mr. Werfel. I'm sorry, can you repeat the two titles?\n    Mr. Jordan. Project Manager for the Affordable Care Act and \nDirector of the IRS's ACA Office. Isn't it true that that \nindividual is----\n    Mr. Werfel. Yeah, I mean, I'm just--you know, we have title \nchanges, but I think you're referring to Sarah Hall Ingram.\n    Mr. Jordan. All right. And how long has Ms. Ingram worked \nat the Internal Revenue Service?\n    Mr. Werfel. I don't know the answer to that.\n    Mr. Jordan. Our records show that she has worked there \nsince 1982, 30 years. And prior to taking over the ACA Office, \nwhat was Ms. Ingram's title?\n    Mr. Werfel. Commissioner for the Tax-Exempt Government \nEntities organization.\n    Mr. Jordan. And this is the very organization where the \ntargeting of conservative groups took place; isn't that \ncorrect?\n    Mr. Werfel. It is the organization that was the subject of \nthe IG report that I think you're referring to.\n    Mr. Jordan. Yes. And this is also--Ms. Ingram was also Lois \nLerner's boss; isn't that correct?\n    Mr. Werfel. I believe for a period of time, yes.\n    Mr. Jordan. When the targeting took place, for 2 of the 3 \nyears that the targeting took place, according to our records.\n    And isn't it true that Ms. Ingram was invited to be a \nwitness at today's hearing?\n    Mr. Werfel. That is true, yes.\n    Mr. Jordan. And isn't it true that you called Mr. Lankford \nand asked that she not come and that you come instead?\n    Mr. Werfel. What I told Mr. Lankford was, based on the \ntopic of this hearing, which deals with data, data integrity, \nand privacy, that I felt that Mr. Milholland was a better \ntechnical expert because he's our Chief Technology Officer, and \nMs. Hall Ingram does not deal as directly in the issues of data \nsafeguarding.\n    Mr. Jordan. Is Ms. Hall Ingram in Washington today?\n    Mr. Werfel. Yes, she is.\n    Mr. Jordan. So there's no family responsibilities, no \nhealth concerns, no other reason why she couldn't be here \ntoday?\n    Mr. Werfel. I don't know about any of those situations \npersonally, no.\n    Mr. Jordan. But, to best of your knowledge, she's working, \nshe's a few blocks away today, right?\n    Mr. Werfel. Yes, she's at the IRS.\n    Mr. Jordan. Okay. And I know you've testified five times in \nfront of various--or six times, I think you said, in front of \nvarious committees. But how long, again, have you been at the \nIRS?\n    Mr. Werfel. Roughly a month and a half.\n    Mr. Jordan. Okay.\n    Mr. Werfel. Coming up on 2 months.\n    Mr. Jordan. All right.\n    We want to put on the screen here a couple slides, if we \ncould. And just so you--this was a presentation given to the \nIRS Oversight Board May 2nd of this year.\n    And then I want to go to page 5, because this relates \ndirectly to most of your opening statement, Mr. Werfel, where \nyou talked extensively about 6103. But I want to read--it may \nbe a little difficult. I'll read the second bullet point.\n    ``The ACA added Section 6103(i)(21) to authorize the IRS to \ndisclose Federal taxpayer information to exchanges, Medicaid, \nand CHIP agencies and their contractors to support income \nverification for ACA needs-based eligibility determinations.''\n    6103 info is pretty important information; isn't that \ncorrect, Mr. Werfel?\n    Mr. Werfel. Absolutely.\n    Mr. Jordan. Almost viewed as sacred, correct?\n    Mr. Werfel. Within the IRS, for sure.\n    Mr. Jordan. Yeah. In fact, you've used that, you've used \n6103 as a reason not to answer some of my questions I've asked \nyou in some of those previous appearances you've had in front \nof this committee. And most of your testimony dealt with it. In \nfact, there's a story in yesterday's Washington Examiner where \nthis was breached and a political figure had personal \ninformation, donor information, that went public, according to \nthe Inspector General. So this is important stuff.\n    Do you know who happened to--do you know who gave this \nbriefing to your Oversight Board on May 2nd, 2013, Mr. Werfel?\n    Mr. Werfel. I don't know, but I'm assuming you're going to \ntell me.\n    Mr. Jordan. Yeah, we are. Who do you think it is? Can you \nhazard a guess?\n    Mr. Werfel. If you would allow me, I mean, I think we can \nget to some of the points you're tying to raise. I'm not going \nto dispute that Ms. Hall Ingram is not integrally involved in \nour ACA work. What I'm----\n    Mr. Jordan. No, no, no, wait, wait. What you just said a \nfew minutes ago, maybe a minute and a half ago, was you were \nthe person best equipped to answer our questions, even though \nthe chairman invited Ms. Hall Ingram. And yet Ms. Hall Ingram \nis the very person who gave this briefing talking about 6103 \ninformation, which you highlighted in your testimony as being \nso darn important.\n    So the very lady who is doing the oversight briefing to the \nOversight Board who we wanted to have come talk about this \ninformation, making sure taxpayer information was confidential, \ngave that briefing, you called up Chairman Lankford and said, \n``No, no, I don't want her to come. I'll come instead.''\n    Mr. Werfel. Can I respond?\n    Mr. Jordan. And you've been here all of 63 days. She's been \nhere 31 years, since 1982. In fact, she's the central figure in \ntwo of the biggest stories in the country, the IRS targeting \nand the implementation of Obamacare. And these two gentlemen \nasked her to come, and you called up and said, nope, we don't \nwant the lady who briefed the Oversight Board, we don't want \nher to come; I'll come instead and use my 63 days of expertise, \nversus her 32 years, 31 years of expertise.\n    Ms. Speier. Mr. Chairman, with all due respect, Mr. Werfel \nhas presented himself very, very competently in every area \nand----\n    Mr. Jordan. Mr. Chairman, did I yield the time? I don't \nthink I yielded her time.\n    Mr. Lankford. Yeah, the gentleman did not yield on it. I \nwant the gentleman to be able to retain the time----\n    Mr. Werfel. May I respond?\n    Mr. Lankford. --and for Mr. Werfel----\n    Mr. Jordan. Yeah, you can respond. I hope you will respond.\n    Mr. Werfel. I will respond.\n    Mr. Lankford. And, Mr. Werfel, absolutely, we'll give you \nthe time to be able to respond.\n    Mr. Werfel. I appreciate that.\n    First of all, Congressman, I don't agree with your \ncharacterization of the nature of my phone call with Mr. \nLankford and the reason why I and Mr. Milholland are sitting \nhere today.\n    What I feel is appropriate and what I think IRS \nhistorically feels is appropriate is, when there's a hearing, \nwe balance a lot of different factors in figuring out who the \nbest witness is to present the information to Congress. Two of \nthose factors are accountability--and I'm the most senior \naccountable official within the IRS----\n    Mr. Jordan. I understand that.\n    Mr. Werfel. --and second is technical knowledge and \nexpertise on this subject matter.\n    The hearing invite that we received asked us to pay \nparticular attention on our coordination with other agencies, \nHHS and IRS coordinations, regarding safeguards of the personal \ndata of individuals who purchase coverage through the \nexchanges.\n    So what I suggested to Mr. Lankford is a combination of me, \nthe most senior accountable official in the organization, and \nthe Chief Technology Officer of the IRS, Mr. Milholland----\n    Mr. Jordan. And, Mr. Werfel----\n    Mr. Werfel. --would provide the best input to the \nsubstantive----\n    Mr. Jordan. I get it, Mr. Werfel.\n    Mr. Werfel. --content of this hearing.\n    Mr. Jordan. And I respect that.\n    But if I could, Mr. Chairman, we have the minutes, we have \nthe meeting notes from that presentation given by Ms. Hall \nIngram----\n    Mr. Werfel. She's knowledgeable on these issues. I'm \nsaying----\n    Mr. Jordan. No, no, no, but let me just read.\n    Mr. Werfel. --Mr. Milholland is more knowledgeable.\n    Mr. Jordan. Just let me read. Well, if he's more \nknowledgeable, why didn't he do that briefing?\n    So let me ask you--here's what it says. ``Ms. Ingram \ndiscussed the security and safeguard programs at the IRS, that \nthe IRS has in place regarding sharing of data among its \npartners.'' If he's the expert, he should've done that \nbriefing.\n    And, frankly, the chairman didn't ask for Mr. Milholland. \nThey asked for Ms. Sarah Hall Ingram, who is head of the \nAffordable Care Act Office at the IRS.\n    Mr. Chairman, I yield back. But, I mean, look, we've got \nthe two biggest issues, maybe the two biggest issues in the \ncountry, the lady who's at the center of the storm in both of \nthose. We asked her to come here, and she doesn't come. Even \nthough she's briefing everybody else on the issue, she won't \ncome brief the Congress, just like Lois Lerner won't talk to \nCongress.\n    Ms. Speier. Mr. Chairman, I have a point of inquiry.\n    Mr. Lankford. Yes, ma'am.\n    Ms. Speier. We have a 5-minute limit per Member. Mr. Jordan \njust exceeded it by 1 minute and 48 seconds.\n    This is a hearing on evaluating privacy security and fraud \nas it relates to ACA, and this entire questioning was whether \nor not a particular individual should have been here versus the \nhead of the agency.\n    If we are going to conduct this hearing----\n    Mr. Jordan. Mr. Chairman?\n    Ms. Speier. --as a witch hunt----\n    Mr. Jordan. It's not a witch hunt Mr. Chairman.\n    Mr. Lankford. Hold on.\n    Mr. Jordan. Would the gentlelady yield?\n    Mr. Lankford. The gentlelady has the time. Hold on.\n    Ms. Speier. --then I will object. I want this to be an \noversight hearing by this committee. You have shown great \nleadership in this committee.\n    I believe that what we should be doing is looking at where \nthe holes are, in terms of making sure the ACA is effective as \nit is rolled out, where the resources need to be employed, \nwhere there may be loopholes, where there are issues that we \nhave to address. And that's what I hope this hearing will \ncontinue to do.\n    Mr. Lankford. There are multiples of those----\n    Mr. Jordan. Mr. Chairman?\n    Mr. Lankford. I will yield to the gentleman.\n    Mr. Jordan. I would just ask unanimous consent to enter the \nmeeting notes from the very meeting Ms. Hall Ingram briefed the \nIRS Oversight Board, specifically this sentence: ``Ms. Ingram \ndiscussed the security and safeguard programs the IRS has in \nplace regarding the sharing of data among its partners, \nincluding those for ACA programs,'' end of story.\n    Mr. Lankford. Yeah. Without objection.\n    Mr. Lankford. The time period is obviously at the \ndiscretion of the chair. There have been a couple Members that \nhave gone over by a couple minutes, some as long as 2 minutes, \nactually, so far in our time period.\n    We are going to try to honor the 5-minute time period, but \nI've always been fairly loose on that with Members on both \nsides, that if there is an appropriate question that's going on \nand they want to give an appropriate response--and, Mr. Werfel, \nI do want you to still have time to respond to Mr. Jordan's \nquestion that he ended with, if you choose, to be able to do \nthat, as well.\n    We did have an interchange, we had multiple conversations \non that. It was very respectful of your position. You obviously \nhave a difficult spot. You're walking into the middle of a lot \nof issues with the IRS. This is one of several and a moving \ntarget.\n    I did express to Mr. Werfel that I felt Mrs. Ingram seemed \nto be, as we're looking at the flowchart, the best person to be \nthere. Obviously, Mr. Milholland has a crucial role in the data \ntransfers on that. Mr. Chao has an incredible role in this from \nthe HHS perspective and what's happening. A lot of what we're \ndealing with deals specifically with the regulatory nature of \nthis.\n    So, Mr. Werfel----\n    Mr. Werfel. The only thing I would say--and I can be very \nbrief--is that there are multiple people within the IRS with \nsubstantive understanding of the issues of 6103 and the \nsafeguarding. You have two individuals right now, one that's \nthe accountable official and one who is a subject matter expert \non the issue, and we're here and ready to answer any \nsubstantive questions you have on these matters.\n    Mr. Lankford. Yeah, we will continue to press on with that. \n\n    Mr. Cardenas, you are recognized.\n    Mr. Cardenas. Thank you very much, Mr. Chairman.\n    I would like to compliment the witnesses so far. It must be \npretty trying, trying to stay on point even though some of the \nquestions are trying to take us all off point here. And it's \nunfortunate that some members of this committee and this \nsubcommittee are just hellbent on wanting to bring issues back \nbefore the public that really are not as relevant as the \nsubstantive issues as to why this hearing was even convened. \nBut I would like to get us back on point.\n    In an opinion piece published in the U.S. News and World \nReport in June, Congress Representative Diane Black made \nallegations about the data hub that we're talking about today. \nI'd like to mention one in particular and would invite the \npanel to comment and clarify, if necessary, about this \ninformation that was put out to the public by Congresswoman \nDiane Black.\n    Congresswoman Black wrote, and I quote, ``For the purposes \nof implementing and enforcing Obamacare, the Department of \nHealth and Human Services, through regulator fiat, is building \nthis hub, a Web portal where personal information such as \nmedical records, tax and financial information, criminal \nbackground, and immigration status will be shared and \ntransmitted between agencies, including the IRS, HHS, the \nDepartment of Justice, Department of Homeland Security, and the \nSocial Security Administration, as well as State governments.'' \nAll right? And that's the end of that quote.\n    Ms. Tavenner and Mr. Chao, can you clarify, will personal \nmedical records be accessible through the data hub?\n    Mr. Chao. No, they will not be.\n    I think the quote or the description is a bit inaccurate, \nin terms of it doesn't describe about the flow of information, \nthe type of data, and, certainly, we are not collecting, you \nknow, personally identifiable health information on any \nindividuals throughout this application process.\n    Mr. Cardenas. Anything else on that point?\n    Okay. Thank you.\n    It's important that there perhaps should be penalties for \nany misuse or disclosure of information. As far as you can \ntell, would there need to be congressional approval to \nimplement levels of civil or criminal penalties for those who \nwould willfully and knowingly violate privacy laws?\n    Mr. Chao. I'll also defer to IRS for their piece.\n    I think, for us, there are already civil and monetary kind \nof penalties under U.S. Code that govern access to Federal \nSystems, of which, you know, we do apply that. Specifically to \nthis application process, I'm not aware of anything that has \nchanged with that in the application of those civil monetary \npenalties under U.S. Code. So I will--I can certainly get back \nto you with more specifics on that.\n    Mr. Cardenas. Thank you.\n    Mr. Werfel. And I was just going to reinforce that by \nsaying that the protections that we're putting in place on the \ndata are leveraging longstanding, existing procedures that are \nin place, including penalties and approaches, working with the \nInspector General, that we have long-term experience with.\n    Because, as I mentioned earlier, this is not the first time \nthat the law has contemplated sharing taxpayer information from \nthe IRS out into other Federal agencies and other State \nagencies. And so we have a strong track record of robust \nprocesses, and those are going to be leveraged here.\n    Mr. Cardenas. Are they getting better, those processes, as \ntechnology changes and as we have to defend ourselves from \nattacks?\n    Mr. Milholland. I'll answer that from the point of view of \nthe IRS.\n    We use a defense in depth and breadth concept. That is, \nwhatever the access controls might be, for example, there are \neight levels of protection as you come into the IRS \nelectronically. But there is also a breadth approach that says, \nnot just access controls, but preventative measures you might \nwant to take for insiders, say, and a number of implementations \nof technical capabilities that allow us to try to be detect if \nthere is inappropriate access to the information.\n    So these same kind of practices we pass over to our \nSafeguards group and, particularly, provide our cybersecurity \nexperts from Information Technology to assist them in their \nsafeguard reviews. So those reviews that take place outside of \nthe IRS have the best technical support that's available to the \nIRS, in which we've built what we believe is a--I'll say a \nbest-in-civil-government approach to information security.\n    Mr. Cardenas. Thank you very much.\n    With what little time I have left, I would like to thank \nthe panelists. I think you've been doing a really good job \ntrying to stay on point and continuing to answer the questions \nas honestly and forthrightfully as you should be before any \ncongressional hearing.\n    And I would hope that you would share with your colleagues, \nwhenever they're summoned to this committee or any committee, \nto watch this tape so that you can show them that you can stand \nyour ground and don't succumb to badgering and things of that \nnature trying to get you off point. Thank you so much for your \nprofessionalism.\n    I yield back.\n    Mr. Lankford. Mr. Walberg?\n    Mr. Walberg. Thank you, Mr. Chairman.\n    And thank you to the panel for being here. And we're not \ngoing to attempt to badger in any way, but we would like \nanswers to questions as quickly as possible.\n    Ms. Tavenner, thank you for being here. Let me ask you, in \nrelation to the HHS issuing a final rule that requires a \ntaxpayer enrolled in a health plan through a State exchange to \nreport certain changes in circumstances within 30 days, these \ninclude changes in residency, as I read it, and income. Is that \naccurate?\n    Ms. Tavenner. I believe so, but I'd have to double-check \nthe rules.\n    Mr. Walberg. Well, let me follow up, hoping that maybe this \nwill help.\n    The question I would have: If, indeed, this is the case, a \n30-day requirement, if I get a raise, if I get a demotion, if I \nstart a new job, if I lose a job, am I required to run to my \nState exchange and notify them of those changes?\n    Mr. Chao, if you could.\n    Mr. Chao. Commissioner Werfel mentioned earlier that the \nprocess allows for a reconciliation via the tax-return-filing \nprocess of any advance premium tax credits that were paid on \nyour behalf to the issuer that you enrolled in. And while we, \non a consumer, you know, kind of customer service perspective, \nask people to report it as early as possible----\n    Mr. Walberg. Well, it says 30 days.\n    Mr. Chao. Yes. Yes. And----\n    Mr. Walberg. But you're going to be flexible on that?\n    Mr. Chao. Well, I think, you know, by requirement, it's 30 \ndays, but if something were not to be, you know, kind of \nreported in that time span--and we are recommending for people \nto report changes timely--there is the reconciliation that will \nkind of pick up any adjustments that are necessary.\n    Mr. Walberg. So even I leave a State where my exchange was, \nor my marketplace, I guess is the new term, I will have some \nflexibility on reporting?\n    Mr. Chao. Correct.\n    Mr. Walberg. Okay.\n    Let me move on. Ms. Tavenner, this is just a yes/no series \nof questions and answers here.\n    Will exchanges be allowed to enroll individuals to receive \nadvance premium tax credits even if their income cannot be \nverified by the IRS, yes or no?\n    Ms. Tavenner. I think there are several steps, but, yes, \nthere is a possibility that if their income can't be verified \nthey could still be eligible after they complete another series \nof tests.\n    Mr. Walberg. Will exchanges be allowed to enroll \nindividuals to receive advance premium tax credits even if \ntheir household size cannot be verified by the IRS?\n    Ms. Tavenner. I think household size is verified by the \nindividual and to the extent that IRS can provide it. But, yes, \nthere are additional steps, including self-attestation.\n    Mr. Walberg. Will exchanges be allowed to enroll \nindividuals to receive advance premium tax credits even if \ntheir citizenship status cannot be verified by the Department \nof Homeland Security?\n    Ms. Tavenner. As you are aware, the Affordable Care Act \nonly allows if we are able to verify citizenship or----\n    Mr. Walberg. Well, in this case, they're saying they are; \nthere's no firm verification. So another flexible area where \nwe're really uncertain whether the benefits are allowed or not \nallowed, right?\n    Mr. Chao. The process works in that, when there are \naccurate data sources to verify against what's on the \napplication, it is done so, you know, online in realtime.\n    There are cases in which when data and information is not \nnecessarily in synchronization with what the person is \nreporting as the household, we have a step in the process \nwhereby they move into an inconsistency period in which we have \neligibility support workers. It's a complement of almost, like, \ncustomer service reps that will work with you to identify, you \nknow, other means to verify, you know, your household size, \nyour income.\n    And while it's kind of a labor-intensive process, we have \nbuilt that in so that we can get as accurate a determination \nand enrollment as possible.\n    Mr. Walberg. But while it's going on, it's very uncertain?\n    Mr. Chao. No, it's a process----\n    Mr. Walberg. Citizenship status----\n    Mr. Chao. Well, for the consumer's sake or the household's \nsake, the process continues, and they move on to receiving \ncoverage and enrollment in a QHP. But we're, in the back end, \nmaking sure that that data is accurate.\n    Mr. Walberg. Will exchanges be allowed to enroll \nindividuals who receive advance premium tax credits even if \ntheir Social Security number cannot be verified?\n    Mr. Chao. No. That process will go into that inconsistency \nor exception process, and that's probably a pre-, early kind of \nstep in the process, because the first thing we have to do is \nto validate a Social Security number via SSA before we talk to \nIRS with that validated Social Security number.\n    Mr. Walberg. If they haven't had any previous tax returns, \nfor instance----\n    Mr. Chao. Well, that's why----\n    Mr. Walberg. --how do you verify this?\n    Mr. Chao. That's why we have that inconsistency process \nwhereby for 90 days we will work with the applicant filer to \nmake sure that that information, the required information, is \nvalidated on the application.\n    Mr. Walberg. Mr. Chairman, my time has expired. Thank you \nfor the additional time. This is an uncertain setting, isn't \nit?\n    Mr. Lankford. Ms. Lujan Grisham?\n    Ms. Lujan Grisham. Mr. Chairman, thank you very much.\n    And I also appreciate the opportunity to talk about the \nreadiness and capability and make sure that we're covering \nbroad consumer protections, specifically privacy.\n    I might point out before I get to my question that States \nfor decades have been collecting financial and healthcare \ninformation from Medicaid recipients, including children, and \nworking very hard as the technology opportunities have enhanced \nto make that interoperable and realtime so that individuals \naren't doing independent applications by hand between one \ndepartment that's covering developmentally disabled populations \nand another department that's doing brain injury and another \ndepartment that's responsible for level of care and another \ndepartment that's required to do the financial verifications, \nincluding going to their bank statements.\n    And we're doing that successfully. And, in fact, after 20 \nyears, I'm not aware of a single State that's had privacy \nissues as the core issue, by any stretch of the imagination, or \nthose consumer protections. We've had issues about Medicaid \nimplementation, effectiveness, some fraud by providers, and all \nthings that we should be looking after. But I'm not aware of \nanything, including hospitals and their discharge work and \ntheir own Medicaid eligibility sending provider to provider and \nprovider to State, in fact, the very same information that \nwe're now going to do at the Federal level.\n    So I'm happy to say that New Mexico is one of those States \nthat is glad to help you do this, because we've been doing it \nsuccessfully in many of these components for a long, long time.\n    But to be successful, I'm concerned--and you might have \ncovered this already--I'm concerned about having a budget that \ngives you the staff, that checks, that double-checks, that \nmakes sure that you're meeting the requirements that we intend \nin Congress, both for consumer protection and to make sure that \nwe get these eligibility issues streamlined effectively since \nwe're using a Web-based aspect here.\n    So the Republican budget out of the Appropriations \nCommittee cuts your budget by 24 percent. And I recognize that \nthis committee is concerned about IRS issues; I'm concerned. I \nintroduced legislation that would clarify that ``exclusive'' \nmeans exclusive for 501(c)(4)s. I don't believe that there's \nbeen targeting, but I think we don't have the right processes \ninvolved to do it adequately and objectively and correctly. So \nthis will, I think, help us.\n    Commissioner Werfel, can you talk to me again specifically \nabout what a 24 percent budget cut does to adequately and \nefficiently implement the requirements of the Affordable Care \nAct by the IRS?\n    Mr. Werfel. It's extremely challenging, in general. I think \nwhen you talk about a 24 percent budget cut for the IRS, you \nhave to start with the reality that all of our mission-critical \nactivities will be severely impacted. That means our ability to \ncollect revenue, work with taxpayers to help them navigate the \nTax Code, do enforcement, go after bad actors who are seeking \nto defraud the system, meet other mandates.\n    We have many legal mandates on our plate right now. We have \nwork that we're doing under a law that's called FATCA that \ndeals with disclosing information that's in offshore accounts \nthat's unreported. We have legal mandates under that.\n    So when you talk about a 24 percent cut, you really are \nnegatively impacting taxpayers--small businesses, individuals, \nfamilies----\n    Ms. Lujan Grisham. So this has effects well beyond the \nAffordable Care Act.\n    Mr. Werfel. Absolutely.\n    Ms. Lujan Grisham. And while, before I lose my minute, I \nwant to make sure that you hit some of the specifics about the \nAffordable Care Act, and I want you to highlight that for every \ndollar that comes into the IRS--that includes the staffing \nresources to do the work that you're required to do--it brings \nin about 6 Federal dollars.\n    And, for me, this seems like a very political attempt to \nundermine the implementation of the Affordable Care Act instead \nof what this committee, in particular, should do, is to make \nsure that the IRS can meet all of its obligations under current \nlaw.\n    Mr. Werfel. Right. So I think the ACA tracks some of the \nbroader responsibilities for the IRS. Our efforts to \nmodernize--and here, for the ACA, we have to build technologies \nto meet these mandates. That certainly would be impacted by \nsevere budget cuts.\n    Our ability to work with taxpayers, whether on the phone or \nbuild new tools through IRS.gov so that they have clarity, \nwhether it's an individual or an employer, we do that in the \ntax law generally. It would certainly be impacted by the ACA. \nHarder to get someone on the phone, harder to get information \nat a taxpayer assistance center, et cetera.\n    And then we have protecting information. You know, we have \npeople in place that are doing these reviews and oversight of \nagencies that hold taxpayer data. Significant and severe budget \ncuts would impact our ability to secure the data.\n    And then, obviously, enforcement has been a major theme in \nthis hearing about fraud. We have to have tools in place, both \ntechnology and analytics and expertise and criminal \nenforcement, to make sure that everyone's playing on a level \nplaying field and no one's getting a benefit or money that they \ndon't deserve.\n    Everything I just said, I think, is relevant across the \nIRS. Everything I just said is relevant to the ACA. And I \nwelcome a debate and a dialogue around the IRS budget and, in \nparticular, what a 24 percent cut would do.\n    Again, my bottom line is I think it's important to look at \nit from the perspective of the taxpayer--the individual, the \nsmall business, the large business, the nonprofit, whatever it \nis. They will face very significant concerns and consequences \nwith a 24 percent cut to the IRS, because they won't be able to \naccess critical services. Because the Tax Code doesn't go away. \nThey still have to comply with the Tax Code. They still have to \ncomply, and they often seek and get IRS help in doing so. And \nour ability to provide that help and assistance will be \ncompromised.\n    Ms. Lujan Grisham. Mr. Chairman, I'm well over my time. I \nseek the committee's indulgence for a quick follow-up?\n    Mr. Lankford. Yes.\n    Ms. Lujan Grisham. Quickly, so you're going to have to move \nstaff and shift your priorities. Have you thought about where \nyou would start? Give me that. Where would you shift personnel \nto meet the Affordable Care Act implementation?\n    Mr. Werfel. Well, we're already starting--you know, if you \nlook at the sequester impacts, we're already, for example, our \ntaxpayer assistant centers are closing at 1:30 now, and so less \npeople are getting in. Our call centers have less people \nsitting ready to take calls, so our level of service numbers \nare going down.\n    Ms. Lujan Grisham. Okay.\n    Mr. Werfel. I mean, it's just--the budget cuts that we \nface, the billion dollars between 2010 and 2013, which in part \nis due to sequester, are impacting our ability to serve and to \nenforce.\n    Ms. Lujan Grisham. Thank you.\n    Thank you, Mr. Chairman, for your indulgence, and the \ncommittee's as well. I yield back.\n    Mr. Lankford. I recognize the chairman of the full \ncommittee, Mr. Issa. \n    Mr. Issa. Thank you.\n    Mr. Werfel, when did you start at OMB?\n    Mr. Werfel. August 4th, 1997.\n    Mr. Issa. And you've got 63 days or so in your current job.\n    Mr. Werfel. Yeah, I'm coming up on my 2-month mark.\n    Mr. Issa. And so you were in a key position to work with \nthe President, quite frankly, during the discussion leading up \nto his offering and signing what became known as sequestration, \nright?\n    Mr. Werfel. I was not involved in the Budget Control Act \nnegotiations. I was involved, back in August 2011 when the \nBudget Control Act--my role was to work with the Treasury \nDepartment to prepare administratively for a potential breach \nof the debt limit. But I wasn't on the side of----\n    Mr. Issa. Okay. Well, I'm just trying to understand the \nrevisionism that's going on here. OMB did have a critical role, \nbroadly, in the decision that the President made to go for \nsequestration. So, you know, you're sort of feigning that this \nis so terrible, when, in fact, this was the President's \ndecision, and now that it's become law and it's affecting you, \nyou're saying you can't do your job. Well, I appreciate that \nthat may be true, but let's go through some numbers.\n    While you were at OMB, you opposed the DATA Act that was \npassed unanimously out of this committee. To a certain extent, \nyou were helpful in making sure the Senate never picked it up.\n    Now, the reason for the DATA Act was to mandate structured \ndata so that interoperability of government databases with \nstrong enough metadata to secure and ensure that confidential \ninformation would always be in a way that it could not \naccidentally go from field to field in some sort of a mix so \nthat organizations like the IRS, when they want to look at SEC \nand they want to look at multitude of filings, would be able to \nlook at that data transparently in order to do better audits \nwith less people.\n    Isn't that roughly what we sold to the Senate but they \ndidn't buy?\n    Mr. Werfel. As I've testified before this committee wearing \nmy former hat, I personally and I think the administration \nagreed with the objectives of the DATA Act. Our concerns were \nnot about what you were trying to achieve; it was the how. And \nwe were concerned about some of the additional bureaucratic \nlayers of new organizations in place with roles and \nresponsibilities on data standardization, which is what caused \nus our concerns.\n    Mr. Issa. You know, what's amazing is I didn't get offered \none amendment from the administration in order to perfect that. \nAnd, candidly, what we're talking about here today, data \nsecurity and the comfort level that interoperable databases and \nparticularly those that are exposed to non-IRS employees, which \nwill be every piece of information that we care about almost \nwhen it comes to our tax records and earnings and ultimately \nthe healthcare information, is not going to be covered by a \nmandate but rather by good intentions.\n    Let me go through one quick question here. As part of this \nprocess, this committee has been looking at the IRS and figured \nout that you gave, you know, $260 million, but a total of about \nhalf a billion dollars was given to a company that was at best \na shell and perhaps a fraud. This committee had their CEO there \nrecently. And you've had to finally cancel that contract. But \non July 4th, 2013, CMS awarded a potential 5-year contract \nworth $1.2 billion to a British company, Serco.\n    Now, at least our information is that the FBI has also \ndiscovered Serco's computer systems serving with the Federal \nThrift Savings Plan were hacked. In other words, these people \nwho are going to run this data have already compromised, \naccording to the FBI, 123,000 Social Security numbers. \nAdditionally, the FBI has discovered that--oh, I'm sorry, \nthat's a repeat. Additionally, they're also being investigated \nin Britain at some point.\n    I guess my question is--Serco has an incredibly large \ncontract and have proven, as of right now, a failure. Can you \nsay with confidence that if we give them this much larger \ncontract, that on day one they're not going to be in a position \nto compromise another 123,000 Social Security numbers? \n    Mr. Chao. The Serco contract is actually with CMS, and it's \ncalled the eligibility support worker contract.\n    And we've been working with Serco--just recently, you know, \nthey've been awarded, so for the past 2 weeks we've been \nramping up. And one of the top issues that we're going over is \nthe security rules and procedures and policies that apply to \nthem under the general, kind of, FISMA Act of 2012, HIPAA, and \ntheir own corporate practices and procedures. They----\n    Mr. Issa. Right. But did you know about these problems and \nfailures before you awarded the contract?\n    Mr. Chao. No, I was not a part of the contract award \nprocess----\n    Mr. Issa. Okay, but now that you know about it, we're \nworking with an entity that apparently does not have the \ninternal controls or track record, and yet you're here today \nsaying that, in a matter of days, they're going to have a major \nrole in major data; is that correct?\n    So we're working to get a group up to speed that doesn't \nhave a proven track record. My whole question to you is, in the \nawarding of a contract, wouldn't you need an assurance before--\nI mean, in other words, I'm not saying you couldn't make them \nready for prime time in a year or 2. The question is, where's \nthe pilot, where's the proof, where's the confidence that what \nhas just recently happened won't happen again?\n    You know, I don't normally have something in front of me \nthat says the FBI has this problem and you've got a brand-new \ncontract pursuant to Obamacare.\n    Let me just hit one more point.\n    Mr. Werfel, this committee has a broad set of \ninvestigations going on related to the organization you're \ntrying to fix, and today is one part of our concern. But you're \nfamiliar with the 6103, what it means; is that correct?\n    Mr. Werfel. Yes, sir.\n    Mr. Issa. And 6103 was designed and passed into law to \nprotect the American taxpayer from his or her tax records being \nlooked at by outsiders or released; is that correct?\n    Mr. Werfel. Yes.\n    Mr. Issa. Was it ever intended to protect from Congress \nfinding out when taxpayers have been abused? In other words, \nshould there ever be a claim of 6103 when the victim themselves \nis asking for the release of the information?\n    Mr. Werfel. Well, I think you're raising a policy question \nin terms of how 6103 is structured. Right now, it's \nspecifically structured to prevent us from sharing certain \ninformation except to the authorizing tax committees. Whether \nthat should be expanded or not I think is a public policy \ndiscussion on the nature of 6103. But we follow the law, and \nthe law requires us to restrict access, except to Ways and \nMeans.\n    Mr. Issa. Right. But--and I'm going to finish, because I'm \ntrying not to go any further over time.\n    The fact is that if we don't know the name and the Social \nSecurity number or Federal ID of an entity, we don't know their \naddress, and we don't see financial information, that was the \nintent of 6103. Today, your organization is working to say \nthat, for example, knowing how many groups waited how long, how \nmany groups are still waiting, those kinds of answers, and \nwhether there is so much as one individual.\n    And I'll give you an example here today. There are the so-\ncalled test cases that we've had, two test cases. When we ask, \nis one of them still waiting, and we find out, yes, one of them \nis still waiting, people are saying, well--and I sent you a \nletter yesterday, with the other chairman and subcommittee \nchairman--we're being told, well, that may be 6103.\n    To know that a victim was isolated 3 years ago, pulled \naside, and has never been given a ``yes'' or ``no'' answer, to \nknow that they're still not giving a ``yes'' or ``no'' answer, \nthe claim that that's 6103 is a claim that, in fact, Congress \nand the public is not entitled to know that information.\n    And I ask it that way for a reason. I understand another \ncommittee can see certain information, but it's the public \nthat's entitled to know.\n    Isn't it true that at least one entity that applied more \nthan 2 years ago still does not have a ``yes'' or ``no'' after \nthe abuse that has become public that we're all aware about as \nto ``Patriot'' and ``Tea Party'' organizations?\n    Mr. Werfel. So, three quick responses.\n    One, just to reemphasize, we do share the information, but \nthe law restricts us from sharing it only with the chairman of \nHouse Ways and Means and the chairman of Senate Finance.\n    Second, a taxpayer can, under 6103, authorize broader \ndisclosure. They can waive their rights, and you can get the \ntaxpayer to--say, ``It's important to make this publicly aware, \nbut I need you to sign something,'' and often taxpayers agree \nto do that.\n    And, third, with respect to--you know, as I've testified \nbefore you, I'm concerned about the delay that we've seen in \napplication packages in our Exempt Organizations unit. And \nperhaps in a different setting, whether off the record or on, I \ncan walk you through very important reforms that we're making \nto our 501(c)(4) process to correct that from ever happening \nagain.\n    Mr. Issa. Well, just for the record, if an organization \nsays, we'll waive our 6103 rights so the committee can see the \nindividual records, the IRS's current position is they won't \nshow us the emails where they conspired against or debated \nthat, ultimately, we don't need to see their records, they can \nhand us their records. We need to see who at the IRS was \ndelaying and denying and dealing with it, and that's individual \nemails with specificity as to those 501(c)(4)s.\n    Thank you. I yield back.\n    Mr. Lankford. Ms. Maloney?\n    Mrs. Maloney. Well, thank you.\n    The chairman raised an important point, that a contractor \nreceived this contract on very sensitive information, an \nimportant one, and, according to his words, it doesn't have a \nproven track record.\n    You know, I want to know how that happened. Don't you look \ninto the backgrounds to make sure they know what they're doing? \nI'd like to speak to Mr. Chao.\n    And, also, I would like you, Mr. Chao, to also talk about \nhow difficult it is to reconfigure the data hub that you are \nnow raising and running if a State decides to assume more or \nless responsibility for an exchange. Are you adaptable?\n    Now, I would like to put a little good news into the \nhearing today. The New York Times reports that the health-plan \ncosts for New Yorkers is set to fall 50 percent. Now, this is \ngreat news for consumers, and it's an extraordinary decline in \nNew York's insurance rates for individual consumers.\n    So it shows the profound promise of the Affordable Care \nAct. But you can't get to the Affordable Care Act if the \ncomputer system isn't working. So this is a very clear thing, \nand I'd like to know more about it.\n    But I'd like you to comment on this article and how your \nhub can address--I know that some States have not gotten their \nexchanges up and running. So how are you adjusting with States \nthat don't have it up and running?\n    New York State, to its credit, has gotten it up and \nrunning, and it has great promise for consumers.\n    So how are we making this configuration? And I guess, Mr. \nChao, as the head of the hub, maybe you should be the one to \nanswer.\n    Ms. Tavenner. Congresswoman, with your permission, could I \naddress the New York issue and the Serco issue?\n    Mrs. Maloney. Sure.\n    Ms. Tavenner. On the New York issue, we were obviously \npleased to see that this morning. And I think it reaffirms what \ncompetition and transparency can do in a marketplace, and that \nreally is what we're doing in the Affordable Care Act, \neffective in October and beyond.\n    On the Serco issue, notwithstanding what the chairman just \nbrought to our attention, Serco is a highly skilled company \nthat has a proven track record in this country and has done a \nlot of work with other Federal agencies. We are actually \nworking with the U.S. corporation, and they are actually \npresent in three States. And we--they were awarded through a \nfull and open competition, so, obviously, they do have a track \nrecord with security and privacy.\n    And I'll turn it over to Henry to answer the other \nquestion.\n    Mrs. Maloney. You know, but, also, can the system handle \nthe varying degrees of astuteness or availability or readiness \nof different States?\n    Ms. Tavenner. Yes, and that's where I think Henry comes in.\n    Mrs. Maloney. Do you have a different system for each \nState, or is it all one central, big system? And is it \ngovernment or private?\n    Mr. Chao. The federally facilitated marketplace system is \ncomprised of several actual, you know, kind of, working pieces \nof system architectures that perform eligibility enrollment, \nQHP and plan management functions, financial management, you \nknow, generating payments for the issuers.\n    The hub, as we mentioned earlier, is a routing tool. It \naffords the efficiencies that are needed for multiple points \nthat are requesting the same information from authoritative \ndata sources to connect to those data sources, and then \nenforced with a uniform service level.\n    That is a scaleable system that is government-owned, and--\nit's privately contracted, but it is government-owned. It is--\n--\n    Mrs. Maloney. Who will run it? Will the government run it, \nor will the private sector run it?\n    Mr. Chao. It's a combination of government, you know, staff \nand contracting staff that will staff an operations center that \nactually monitors its operations 24 hours a day.\n    Mrs. Maloney. And where is it located?\n    Mr. Chao. It's in Columbia, Maryland.\n    Mrs. Maloney. Uh-huh.\n    Ms. Tavenner. And I would add that one of the advantages of \nhaving this hub is that, whether States or State-based \nexchanges or some type of partnership model or whether they \ndefault to the federally facilitated exchange, it's \ntransparent. It's easy for us to make those changes. And that's \npart of the----\n    Mrs. Maloney. And what is there to protect the privacy of \nthe individuals' health records? How do you protect that?\n    Mr. Chao. Well, first of all, we don't collect any health \nrecord information or store health records. I think that's an \ninteraction between a consumer that ultimately is enrolled in a \nqualified health plan and then, working with that health plan, \naccessing benefits and utilizing benefits, that that \nrelationship affords the ability to collect and store and \nprocess. That's a relationship between the consumer and the \nhealth plan.\n    The ability for us to protect privacy of the individual is \nworking with SSA and IRS and in enforcing the very stringent, \nyou know, and rightfully so, 6103 provision and flowing that \nthrough, you know, Mr. Milholland and other chief technology \nofficers and chief information officers from around the Federal \nGovernment, worked with as a group to develop what we call the \nharmonized privacy and security framework.\n    Even though each agency operates under very strict \nguidelines, its own guidelines to operationalize FISMA and \nHIPAA and 6103 in IRS's case, we had to get together because \nthis data via the hub was moving and being requested by \nmultiple entities, including the State endpoints, that there \nare their own marketplaces.\n    So we had to get together to make sure that the \nimplementation of those security and privacy controls and \noperations was harmonized and are common across all the \nagencies and not dissimilar, as if we were implementing the \nprogram in different parts.\n    So we got together early on to do this, to make sure that \nwe have greater security and privacy, you know, kind of, \nenforcement and monitoring. And the bar is set by 6103 and the \nPrivacy Act.\n    Ms. Maloney. My time is expired. Thank you.\n    Mr. Lankford. Mr. DesJarlais.\n    Mr. DesJarlais. Thank you, Mr. Chairman.\n    Ms. Tavenner, I have some questions for you, but first, Mr. \nWerfel, I just want to revisit a little bit of the dialogue \nthat you had with Mr. Jordan earlier.\n    He had asked you if Ms. Hall Ingram was in charge of the \ndepartment that oversaw the targeting of conservative groups, \nand what was your response to that?\n    Mr. Werfel. My response is that Ms. Hall Ingram has \nspecific ACA responsibilities, but there are other individuals \nwithin IRS who have responsibilities at the same level, but Ms. \nHall Ingram does play a coordinating role amongst our various \nACA activities.\n    Mr. DesJarlais. Okay. And one thing we've had, I guess, a \nhard time getting anyone from the IRS to say in multiple \nhearings that we've had is that the IRS was guilty of targeting \nconservative groups.\n    You stated that you are the most senior accountable member \nat the IRS currently; is that correct?\n    Mr. Werfel. That is correct.\n    Mr. DesJarlais. Are you willing to go on record today and \ntell the American people that the IRS did target conservative \ngroups?\n    Mr. Werfel. I have said--I've testified previously that I \nbelieve the use of political labels to screen out applicants \nfor increased scrutiny, inappropriate political labels, is \nequal to the term ``targeting,'' so I don't dispute that.\n    Mr. DesJarlais. All right. Well, it's been hard to get \nsomeone to say that, and I know that moving forward into this \nhealthcare law, that you have a credibility issue with the \nAmerican people, and I think it's very important that you be \nforthright, and I appreciate you saying that today when so many \nothers have taken the Fifth.\n    Ms. Tavenner, you had testified earlier about the \npreparedness of the CMS, and you're feeling pretty comfortable \nabout the ability to be ready on October 1st?\n    Ms. Tavenner. Yes, sir.\n    Mr. DesJarlais. Okay. I would like to submit for the \nrecord, without objection, Mr. Chairman, the data collection \ninstrument from the GAO report from June 2013.\n    Mr. Lankford. Without objection.\n    Mr. DesJarlais. Okay. Ms. Tavenner, we have a document that \nwas obtained that shows that CMS had only completed 20 percent \nof its work to establish appropriate privacy protections and \nthe capacity to accept, store and associate and process \ndocuments from individual applicants and enrollees \nelectronically and the ability to accept image upload \nassociates and paper documentation received from applicants and \nenrollees, so the fact that Obamacare became law in March of \n2015, but yet it's just a few months ago the administration had \ncompleted only 20 percent of its work to establish appropriate \nprivacy protections and capacity to accept, store, associate, \nand process documents from individual applicants, why would you \nsay the administration failed to prioritize privacy protection \nand data-sharing standards?\n    Mr. Chao. I can answer that, Congressman.\n    Mr. DesJarlais. Well, Ms. Tavenner, first, you go ahead, \nand then I have a question for you Mr. Chao.\n    Ms. Tavenner. Well, first of all, I would say that GAO \nreports and other reports are taken of a snapshot in time, and \na lot of work has been completed since that time, and I will \nlet Henry speak to the details of that.\n    Mr. DesJarlais. Okay. Mr. Chao, are you 100 percent \nfinished establishing appropriate privacy protections?\n    Mr. Chao. No, we are not.\n    Mr. DesJarlais. Okay. If not, how much and when will you \nbe?\n    Mr. Chao. I think since the last report, we are probably--\nand this is a very kind of ballpark generalized roll it up kind \nof a figure, I would say with regard to the privacy and \nsecurity, we are probably about 80 percent.\n    Mr. DesJarlais. Okay. So the snapshot a couple of months \nago, you're at 20, and now you're saying you're at 80. Are you \ngoing to be 100 percent on October 1st?\n    Mr. Chao. Yes.\n    Mr. DesJarlais. Ms. Tavenner, do you feel that that's \nreasonable that in 3 years you got to 20 percent, and now, in \n75 days, we are going to get to 100 percent?\n    Ms. Tavenner. Yes.\n    Mr. DesJarlais. Okay. In--also, there's 25 percent of the \nwork to establish the adequate technology infrastructure and \nbandwidth to support all the activities with respect to the \nexchanges. Again, why did the Administration fail to prioritize \nthis sooner? I'll ask the same question, Ms. Tavenner.\n    Ms. Tavenner. I don't know that it's a failure to \nprioritize. There is a certain workflow that has to--actually, \nfirst you have to put the regulations in process, then you \nstart to develop the product from the regulations, and this is \njust the work in progress as any complicated project. We are \nnow within the 90-day period of completing the work.\n    Mr. DesJarlais. Mr. Chao, the CMS document given to GAO \nsays that the estimated completion date establishing an \nadequate technology infrastructure and bandwidth was July 1st, \n2013. Did you meet your deadline for completion of this task?\n    Mr. Chao. We have. It's a constant changing target because \nthe target is actually----\n    Mr. DesJarlais. The deadline is moving.\n    Mr. Chao. No, the target is October 1st, and we make \nadjustments as we go to make sure that that target of October \n1st is not missed. As of this month, all the infrastructure and \nthe required, you know, hardware, software capacity, all of \nthat is available and up and running. The specific application \nsoftware, such as the ``My Account'' that I talked about \nearlier, the enrollment and eligibility pieces, the loading of \nthe QHP information to process in enrollment and a payment to \nan issuer, that is an ongoing process. All that code and those \ndatabases are still being built throughout the summer.\n    Mr. DesJarlais. Okay. So both of you are testifying today \nthat these shortfalls that are in the report that I mentioned \nare going to be 100 percent complete on October 1st?\n    Mr. Chao. Correct.\n    Mr. DesJarlais. Ms. Tavenner?\n    Ms. Tavenner. Yes, sir. And we certainly will have \nmitigation strategies. I think someone mentioned earlier, and \nin our opening comments, that we will be prepared. We will \nstart October 1, and we will certainly have hiccups along the \nway, and we are prepared to deal with this.\n    Mr. DesJarlais. Okay. Very quickly. When did you learn that \nthe employer mandate would be delayed?\n    Ms. Tavenner. When did I personally?\n    Mr. DesJarlais. Uh-huh.\n    Ms. Tavenner. On June 24th or June 25th.\n    Mr. DesJarlais. Why did the President wait till July 2nd to \nannounce that?\n    Ms. Tavenner. I don't know. I was not part of that \ndiscussion, but I actually was made aware that it was being \nconsidered on June 24th.\n    Mr. DesJarlais. All right.\n    I yield back, Mr. Chairman.\n    Mr. Lankford. Thank you.\n    The ranking member of the full committee, Mr. Cummings.\n    Mr. Cummings. Thank you very much, Mr. Chairman.\n    I want to thank you all for being here. I want to thank you \nfor what you do for the American People.\n    Mr. Werfel, I want to pick up on where Chairman Issa was \ngoing to take it to a little further. I would like to ask you \nabout the ongoing investigation into the treatment of Tea Party \napplicants for tax exempt status. During our interviews, we \nhave been told by more than one IRS employee that there were \nprogressive or left-leaning groups that received treatment \nsimilar to the Tea Party applicants. As part of your internal \nreview, have you identified non-Tea Party groups that received \nsimilar treatment?\n    Mr. Werfel. Yes.\n    Mr. Cummings. We were told that one category of applicants \nhad their applications denied by the IRS after a 3-year review; \nis that right?\n    Mr. Werfel. Yes, that's my understanding that there is a \ngroup or seven groups that had that experience, yes.\n    Mr. Cummings. As I understand it, last week, the IRS was \nprepared to make a document production to the committee. And by \nthe way, this is a request from the chairman, and those \ndocuments would have shown other categories of applicants, \ncategories in addition to the Tea Party groups we have been \nfocussing on today. Before I go any further, is that right?\n    Mr. Werfel. Yes.\n    Mr. Cummings. I understand that our committee does not get \naccess to information about specific taxpayers. I think it's \n6103, is that right, those--there are certain that prevent us \nfrom getting certain information, what Mr. Issa was talking \nabout earlier generally.\n    Mr. Werfel. That's correct. We'll make certain redactions \nif we believe that the information would be too--have too much \ninformation so that you could zero in on a specific taxpayer, \nso we'll make those redactions.\n    Mr. Cummings. I understand. Under 6103 of Title 26 of the \nUnited States Code, the IRS cannot reveal specific taxpayer \ninformation. In order to make these determinations, and this is \ngoing to what you just said, the IRS has a--have career \nemployees who are experts, this is what they do.\n    Mr. Werfel. Yes.\n    Mr. Cummings. In determining what is covered by the \nstatute; is that correct?\n    Mr. Werfel. That's correct.\n    Mr. Cummings. And in this case, these experts determine \nthat the IRS could provide this information to the committee. \nThey said the documents did not reveal specific taxpayers but \ninstead referred to categories of groups just like the Tea \nParty groups; is that right?\n    Mr. Werfel. Yes, that's correct.\n    Mr. Cummings. So, based on this established process, we \nshould have received that information last week. And by the \nway, to his credit, the chairman has been very aggressive in \ngoing after documents, but we did not receive that information. \nInstead, I understand that the Inspector General intervened. \nLet me say this again. It's my understanding that the Inspector \nGeneral intervened personally.\n    Now, Mr. Werfel, my question is, can you tell us what he \ndid, did he call you, and what did he say?\n    Mr. Werfel. Okay. The----\n    Mr. Cummings. In other words, we are being denied, this \ncommittee is being denied documents that we have requested. Let \nme finish. And the chairman, to his credit, has been extremely \naggressive in trying to get documents, and I have been accused, \nby the way, of obstructing the investigation, which is totally \nridiculous.\n    I want the documents. Now, tell me what the IG said that \nprevents our committee, that our honorable chairman, Mr. Issa \nrequested, what did he say to you to cause us not to be able to \nget the documents after your experts told us we should have \nthem? Can you tell us what--what that's all about?\n    Mr. Werfel. Yes. We were imminently going to produce a \ndocument in an unredacted form that would indicate the identity \nof a grouping of entities that we felt were similar in kind of \nscope as Tea Party in terms of its grouping, so that it \nwouldn't be able--you wouldn't be able to identify a particular \ntaxpayer because the grouping name was so broad.\n    And he reached out, when he learned that we were about to \nproduce this information, and expressed concern and indicated a \ndisagreement with our internal experts on whether that \ninformation was 6103 protected or not, and out of an abundance \nof caution, the IRS decided to redact that information until we \ncould sort through with the IG his position and understand why \nit's different from ours. And we've had subsequent \nconversations with him where we have reasserted our position \nthat the information should not be redacted, but we have not \nreached resolution with him at this point.\n    Mr. Cummings. I don't understand. I thought that the career \nofficials at the IRS, the officials who do this for a living \nday after day, hour after hour, already determined that it was \nokay for the IRS to produce these documents to the committee \nthat Chairman Issa requested. This seems very strange, Mr. \nWerfel. I know you just started, but has this ever, to your \nknowledge, happened before, the inspector general personally \nintervening to prevent disclosures to the Congress of the \nUnited States of America, have any of your staff members ever \nheard of this happening before?\n    Now, you're surrounded by folks. You can look around, and \nthey may tell you something different, and if they've got--if \nthey've got some other answers, if they haven't been sworn in, \nMr. Chairman, I ask that they be sworn in so we can know of \nthese exceptions.\n    And by the way, Mr. Chairman, I just want the same amount \nof time that Chairman Issa was given. It was a total of 10 \nminutes, with unanimous consent, please.\n    Mr. Werfel. I just don't know the answer to that question. \nI personally am not aware of any similar situation, but we can \ntake that question back and do a broader inquiry amongst the \nIRS leadership and other professionals and get an answer.\n    Mr. Cummings. I ask that you please have that answer to me, \nif you can, by tomorrow morning. We're going to be seeing the \ninspector general tomorrow, and I want to make sure that I do \nnot prejudge him. I do not want to put anything out there to \naccuse him of anything and then go searching for facts. I \nsimply want the truth so that we can restore the trust.\n    Our interest is in getting as much information as possible. \nSo, let me make sure I understand this. If the inspector \ngeneral withdraws his objection, will you produce that \ninformation to the committee that Chairman Issa requested?\n    Mr. Werfel. Yes.\n    Mr. Cummings. Now, let me say something else. Ms. Tavenner \nand Mr. Chao, I heard Mr. DesJarlais' questions, and as I sat \nhere and I listened to my good friend Mr. DesJarlais and he \ntalked about, at one point, you were at 20 percent with regard \nto the privacy protections.\n    And then I think you said, Mr. Chao, and correct me if I'm \nwrong, you are now at about 80 percent.\n    And then you and Ms. Tavenner agreed that by October 1st \nyou would be at 100 percent, and if there were any problems or \nhiccups, in your words, Ms. Tavenner, you were prepared for \nthat; is that correct?\n    Ms. Tavenner. Correct.\n    Mr. Cummings. Well, I stop here for just a moment to thank \nyou for doing what you do to prepare for something that is \nalready the law. Although we are getting ready to vote on it, \nby the way, for the 38th time, it is the law, and you all have \na duty, and I am so glad that even with all the chatter, you \nhave to stay focused, you have refused to be distracted and you \nmade sure that the American people--that the Affordable Care \nAct and the part that you all have to play in that, that you \nare prepared to do that, and I want to congratulate you. I know \nquite often you get negative comments, but the idea that you \nall took a monumental stance, and I want to say this to the \nother IRS employees, we appreciate it.\n    Now, let me say one last thing in any last 1 minute. I've \nsaid it from this dais before and I will say it until I day: \nThis is the United States of America. Every single person on \nthis dais, if they have ever hired anybody and ran anything, \nhas fired somebody, and just because we have some bad apples \nthat don't do the right things does not mean that we stop \noperating. It means that we take the bad apples out, and we \ncontinue forward.\n    This whole idea that there was a problem in the IRS and \nthere are ongoing problems and the problems that you are trying \nto straighten out, Mr. Werfel, to your credit, we should not \nthen suddenly wave a white flag and say, oh, we can't carry out \nthe Affordable Care Act. This is America. We are better than \nthat, and I know that you know that, and I get tired of people \njust because there are problems, suddenly they said, oh, no, we \ncan't carry out the law. No. We are better than that. And so, I \nwant to thank you all and may God bless.\n    Mr. Lankford. Two quick notes here, Mr. Werfel. I know you \nhave a hearing at 1:00 today. We've been at this for a little \nover 2 hours this morning. I know you need to be excused pretty \nquickly. You have time for one more question, or do you need to \ngo ahead and scoot out now?\n    Mr. Werfel. No, absolutely. Please.\n    Mr. Lankford. Okay. It is--Mr. Woodall is up.\n    Mr. Woodall. Thank you, Mr. Chairman.\n    And thank you, Mr. Werfel, for spending a little more time. \nI actually had a couple of questions, too, because I think \nyou're a very serious public servant. I've been a public \nservant in a couple of different capacities myself, and I think \nit's fine for us to disagree about the issues. I think you have \nto be serious about the work.\n    And I appreciate Mr. Cummings' comments about you had a \nresponsibility, Ms. Tavenner, you had a legal responsibility, \nand you carried it out, and he's tired of hearing excuses for \nwhy it is we can't get things done.\n    My question to you, Mr. Werfel, is, that's what we saw on \nthe Treasury blog. We just can't get things done. Ms. Tavenner \nsays, we were only at 20 percent a month ago, but we are going \nto make it happen by October 1st.\n    The President seems to have decided or the Secretary seems \nto have decided that, no, we just can't get things done, no \ndoubt to the frustration of my friend from Maryland.\n    We've got a bill on the floor this week that makes that \nstatutory change, taking the Administration at its word that \nthey can't get it done, we make that statutory change from 2014 \nto 2015. Several times during this hearing, folks have said, we \njust have to follow the law.\n    In your discussion with the Chairman about 6103, you said, \nyou know, there may be some policy discussions about 6103 that \nwe ought to have, but we at the IRS, we just follow the law. \nMr. Cummings applauding CMS for following the law, doing what \nwas required by law. Why is it that we don't have Treasury's \nsupport for making a statutory change to the law rather than \njust doing things that we would like to do administratively?\n    I think one of the real challenges we have is we don't have \nany need to work together any longer. We want to do something, \nwe just do it here on Capitol Hill. You guys, the \nAdministration decides you don't like the way things are going, \nyou just do something different. Why is it that it would not be \nbetter for the public servants who have to implement these \nlaws, for us to actually change the law rather than do it \nthrough blog posts of administrative decisions?\n    Mr. Werfel. The challenge that I have, Congressman, and I \nappreciate the question, is that the role that the IRS has in \nrelationship to Treasury is they make determinations on policy, \nthey work on whether we are going to support or oppose and how \nwe are going to work with Congress on the laws itself, and we \nreally are all about administration. So, from my vantage point, \nI can answer questions for you on the decision that the \nTreasury made and how it impacts the IRS' ability to implement \nthe ACA, but in terms of the--whether it should be \nlegislatively incorporated is something I'd have to defer to \nTreasury.\n    Mr. Woodall. I understand your challenges in that and \nrespect it. I think about what Mr. Cummings has said about \napplauding the good work of IRS employees across the country \nand a few bad apples. I mean, I stay regularly at town hall \nmeetings. You all have a horrendous job, and the job that you \nhave that is made so horrendous is made so horrendous by the \nlaws that we pass here on Capitol Hill. I feel a great burden \nfor the responsibility we put on you.\n    I guess what I'm asking is, we just perpetuate the \nfrustration with IRS employees when we put them in untenable \npositions. And putting the IRS in the untenable position of \nhaving statutes that require laws to be enforced and saying, \nbut no, we are not going to enforce those laws simply \nperpetuates the negative stereotypes that go on out there \ntoday. So, understanding that you might not be able to \nspeculate on why those decisions were made at Treasury, \nwouldn't you push up the ladder, hey, here's the Congress that \nwants to work with us to get this done in a statutory way for \nthe House, the Senate, the President, to come together and do \nexactly what Treasury seems to be asking for, why can't we come \ntogether and do that? Why won't you push that message up the \nchain?\n    Mr. Werfel. Well, without particularly commenting on this \nissue, I think in general what the IRS does is we--we do have a \nguiding principle that the simpler the tax code, the simpler \nthe laws are, the more clear they are, the more we are going to \nbe able to administer it then effectively and efficiently. And \nso, you know, we have that guiding principle, and then as we \ndeal with different legal issues that arise, Treasury will \nconsult with us on the administrative aspects of them.\n    Mr. Woodall. I understand that, and I absolutely agree with \nthat. I would say, ``shall begin after December 31st, 2013'' is \npretty simple. I would say that subsidies shall apply to State-\nbased exchanges is pretty simple. We've done the best we can in \nterms of simple law, and folks have gone and reinterpreted what \nwas very simple law, and that's the frustration to me as a \nlegislator.\n    I hear what you say to the chairman, 6103 is clear, it's \nblack letter law, Mr. Chairman, we can't avoid it, and I'm \nthinking, for Pete's sake, you decided that you don't like the \nmandate timing, so you'll do something different there. You \ndecide you don't like the subsidy implementation, so you'll do \nsomething different there. These are very serious men, the \nchairman and the ranking member, you could just decide, you \nknow what, 6103, it says, Finance Committee and Ways and Means, \nChairman, but it probably should have included the oversight \nguys, too, probably should have. The subsidies probably should \nhave done the Federal exchanges. The deadline probably should \nhave been a year out, but you don't.\n    There is a lot of lack of confidence in America in both the \nadministration and the Congress these days. We have \nopportunities to work together instead of working against each \nother, and it frustrates me that even on something as simple as \na date change, we can't even take advantage of that opportunity \nto restore faith in the people's government here in Washington, \nand I thank you all for being here.\n    Thank you, Mr. Chairman.\n    Mr. Lankford. Thank you.\n    Mr. Werfel, I know you've got to scoot out of here and get \nready for the next hearing. Thank you for being here.\n    Mr. Milholland, will you be able to remain or----\n    Mr. Milholland. I can remain.\n    Mr. Lankford. That would be great if you can, so if you \nneed to answer for IRS.\n    Mr. Perry.\n    Mr. Perry. Thank you, Mr. Chairman.\n    Ladies and gentlemen, thank you very much for being here. \nWe understand on this committee that--and in Congress, that you \nhave a duty to perform and you don't always necessarily agree \nwith what we send out of this place, but you do your duty and \nyou perform it as best you can. We appreciate that. We also \nhave a duty as well, and I would take some exception with the \nstatement that our duty is to make sure this works.\n    We have a duty to our constituents to make sure that we \necho their concerns and ask questions on their behalf, and on \nmy part, a lot of my constituents are concerned and skeptical \nabout this law and the contents therein, and so I want to ask \nsome questions on their behalf.\n    I guess, Mr. Chao, I'll start with you, because I'm not \nreally sure who else to start with. Who--is there one person? \nWho is the charge--or who will be in charge of the data hub?\n    Mr. Chao. In CMS, we typically have a combination of lead \npolicy, what we call business owners of the hub. The \nadministrator ultimately is accountable and responsible for any \nof the technology that we implement to support the programs, \nbut the day-to-day operation is governed by a board of business \nand technical leadership in the agency.\n    Mr. Perry. In CMS or the IRS?\n    Mr. Chao. There is a CMS and as well as a cross agency----\n    Mr. Perry. So it's a bunch of people who will never have, \nin my opinion and I think in a lot of American people's, \nbecause of that, there is never really going to be true \naccountability because something happens, everybody's going to \npoint to everybody else. I mean, it's a--how many people are we \ntalking about? Do you know? I mean, you're--you're in charge of \nsome of this stuff. Do you know?\n    Mr. Chao. I think what it boils down to is there is only \nless than a dozen people who are truly----\n    Mr. Perry. Less than a dozen, okay, and some from our--\nthere are five agencies. Somebody from the five agencies, a \nperson from each within the five agencies that are getting data \nin, taking data out? I mean----\n    Mr. Chao. Correct.\n    Mr. Perry. Okay. So, I mean, you are going to know my \nSocial Security number, my email address, my home address, my \nfinancial information, whether I ever got a DUI, you are going \nto know--this--this portion of government, the Federal \nGovernment is going to know literally everything about me \nthat--and everything about every 300-plus million Americans \nthat they find personal and are concerned about having their \nneighbors know about, and so they're right, I think, to be \nconcerned.\n    Who determines what questions are asked? And I know you \nkind of alluded to, at least in one part, that you are not \ngoing to have personal information or personally identifiable \ninformation, but in another sense, I thought you said that \nyou're going to know the home address, the email address, \nethnicity. Who--who determines the question? Why is ethnicity \nimportant? Why is whether my wife is pregnant important? And \nwhen does she have to report it? Or when do you find out? What \ndo you do with that?\n    Mr. Chao. We make a proposal under the Paperwork Reduction \nAct, in which actually the public and Congress and anyone with \nthe public at large can comment on the questions that we've \nasked, that we've included, that we felt essential to be part \nof that streamline application; that's online to apply for \naffordable care.\n    Mr. Perry. So you make a recommendation, and we can provide \ncomment, and what happens with our comments when we object?\n    Mr. Chao. I think similar to rulemaking, we factor those \ncomments in and categorize them and take a serious look at the \npolicy and legal angles and technical implementation angles of \nit and we try to accommodate the kind of the very, very huge \nconcerns that we get back under----\n    Mr. Perry. So, you're with CMS. Why is ethnicity important? \nWho is it important to?\n    Mr. Chao. I am on the IT side. I cannot answer.\n    Mr. Perry. Yeah, but you're--that's the thing. You are one \nof these guys that are at the top. Are you one of the less than \na dozen people on the committee in charge of the data hub? Are \nyou one of those people?\n    Mr. Chao. Yes.\n    Mr. Perry. Okay. So if you don't know this, who does? Who \nknows the answer, and shouldn't you know it?\n    Mr. Chao. I think within my purview, I don't try to \nquestion every detailed policy that I am asked to implement. I \nam more concerned about capturing the requirements to make sure \nthe system is reflecting----\n    Mr. Perry. But you are one of the people that weighs in on \nwhether it's important or not for your organization and what \nyou do, and this is the American people's personal information, \nso it needs to be important to somebody. If everybody took your \nopinion, nothing is important to anybody as long as the next \nguy said it was. I mean, the fact that you didn't know about \nthis Serco. I mean, do you think the American people believe or \nknow right now that all this information about them is going to \nbe handed off in some form to private contractors? Do you think \nthey know that?\n    Mr. Chao. I think they will know because they are in charge \nof consenting to that release. We--when you----\n    Mr. Perry. So, on the release, it's going to say, ``I'm \ngiving my information to CMS,'' or ``I'm giving my information \nto Serco''?\n    Mr. Chao. It's actually the process. So if you're in that \ninconsistency period, you are giving consent that we will be \nhandling any issues that you have.\n    Mr. Perry. You'll be handling it, but it doesn't say that \nyour information will be handled through us via contract by a \nprivate organization who's owned by a British company or by \nMasterCard or whoever the contractor happens to be at that \ntime.\n    Ms. Tavenner. Let me try to help answer some of these \nquestions because I think the accountability obviously stops \nwith the CMS administrator, and that's me, and we do have \nbusiness owners, and Henry is responsible for the IT \nimplementation.\n    Let me start with your question about health information \nand a reminder that the hub does not store any information, but \nit does not even ask for health information. The only time that \npregnancy becomes an issue is, obviously, if someone is \nqualifying for Medicaid and there are benefits, they are \neligible for Medicaid and maybe they're pregnant so it varies \nState By State, so that would be the reason for the pregnancy \nquestion.\n    Much of the information that we ask is required by law, and \nif you'll remember, there a couple of months ago, we went from \na long application process down to what we are calling a 3-page \napplication for an individual who is applying on the \nmarketplace. But once you start to get inside, whether it's \nMedicaid or CHIP, there may be additional questions that we \nneed to answer in order to help someone get eligibility. That's \nusually done at the State level.\n    There is no health information. When we work with Serco, \nSerco is helping with enrollment and eligibility, so there is \ndata that we store around things such as your email address, \nsuch as your phone number, such as Social Security, but part of \nthat is stored so that if you have a dispute about whether or \nnot you were eligible or you have an appeal, we have that \ninformation, but it's not kept on the hub.\n    Mr. Perry. It's stored somewhere.\n    Ms. Tavenner. Yes.\n    Mr. Perry. Mr. Chairman, with indulgence, one last \nquestion, is for Mr. Milholland. We heard earlier that there \nwould be penalties for folks that had breached the confidence \nof the American people by providing that information to folks \noutside, tax information, so on and so forth, you work at the \nIRS. Let me ask you this, regarding the information, regarding \ntargeted political organizations that we recently learned \nabout, has anybody been penalized at this point that you know \nof in your organization?\n    Mr. Milholland. The only thing I am aware of is people are \nno longer in the jobs they were in.\n    Mr. Perry. Have they lost their pay?\n    Mr. Milholland. That, I do not know.\n    Mr. Perry. Thank you, Mr. Chairman. I yield back.\n    Mr. Lankford. Mr. McHenry.\n    Mr. McHenry. Thank you, Mr. Chairman.\n    Mr. Duncan, in your March report of this year, TIGTA gave \nno indication there would be problems with the IRS' \nimplementation of reporting requirements; is that correct?\n    Mr. Duncan. That's correct.\n    Mr. McHenry. Okay. So does that include section 6--6055 \nthat requires insurers to report about the coverage that they \nprovide?\n    Mr. Duncan. There are several information requirements from \ninsurers, employers, from the exchange itself on a monthly and \nannual basis, so all that information will flow to the Internal \nRevenue Service and has to be processed, maintained and kept.\n    Mr. McHenry. But you had no issues with that.\n    Mr. Duncan. That is still not really done until 2014 will \nthat data start to flow to the IRS.\n    Mr. McHenry. Okay. But does this include section 6056 that \nrequires employers provide information on the health insurance \nthey provide, so----\n    Mr. Duncan. We are very concerned about that with the \nrecent change and the recent----\n    Mr. McHenry. No, no, but prior to that. We're talking about \nyour March reports. I mean, because you're there to make sure \nthat we're, you know, the IRS is moving along in the path here.\n    Mr. Duncan. That's correct.\n    Mr. McHenry. Right. And so, in your March report, you said \nthey didn't have any issues with this process of getting that \ninformation, right?\n    Mr. Duncan. That was the information that they were \ncollecting for the income and family size verification.\n    Mr. McHenry. Right. That's what I have.\n    Mr. Duncan. And the overall plan that they had in place \nlooked good.\n    Mr. McHenry. Looked good. Okay. So, you know, when we see \nthe President announce this change, right, on employer mandates \nand then we see this other movement in terms of reporting \nrequirements, right, which you have the business mandate, then \nthe reporting requirements that the President then, through \nthis administrative procedure here, they've said, well, we are \njust not really going to verify very much, right, but is there \nin basis, basis in practice, right, saying that they really \ndon't have that capacity, I mean, according to TIGTA?\n    Mr. Duncan. In accordance with what we reviewed in the \napplication that we looked at the IRS and our understanding, as \nof today, is the IRS will continue to provide to the exchanges \nthrough the HHS hub----\n    Mr. McHenry. All right.\n    Mr. Duncan. The income and family size information. Now, we \ndid not see, in our review, that there was a major change in \nthe IRS need or requirement to provide that information if it's \navailable.\n    Mr. McHenry. Yeah, but I mean, this is the verification \nprocess to ensure that people are complying with it, right?\n    Mr. Duncan. Yeah. I just want to make sure, though, that we \nunderstand that the IRS information is only one set of \ninformation that the exchange will use in looking at and \ndetermining what the final income and family size data should \nbe.\n    Mr. McHenry. Okay. So let's run a scenario here.\n    Mr. Duncan. Uh-huh.\n    Mr. McHenry. Okay. So, you know, in a state that doesn't \nexpand Medicaid, for instance, North Carolina being one, and I \nrepresent a district in North Carolina. A man who earns \n$15,000--I am just going to walk through this scenario so \npeople have an idea--would be eligible for a $3,400 subsidy if \nhis employer does not extend an offer of affordable coverage to \nhim or her, for instance. And so in 2014, with the Federal \nGovernment, would they be able to verify whether this \nindividual had an offer of affordable coverage at work?\n    Mr. Duncan. I assume the HHS or the exchange at the state \nlevel would be in a position----\n    Mr. McHenry. We don't have an exchange at the State level.\n    Mr. Duncan. Then the Federal exchange would have to be \ndoing that, and they would ask for information from the \nInternal Revenue Service as well as other locations.\n    Mr. McHenry. Okay. So, Ms. Tavenner, if an individual fails \nto report that he has an offer of affordable employer-sponsored \ninsurance, right, will he receive a subsidy of that $3,400?\n    Ms. Tavenner. When an individual does do the self-\nattestation, they would verify whether or not they had \nemployer-sponsored insurance.\n    Mr. McHenry. Right, right, so they're going to say, hey, \nhere's the deal, didn't get it, give me $3,400 bucks, subsidy. \nSo, you know, if I'm verifying for myself, right?\n    Ms. Tavenner. If you're verifying for yourself and you say \nthat it's available and you didn't get it, you will not be \neligible for the tax credit. And a reminder----\n    Mr. McHenry. Right. But who's going to say I'm not eligible \nfor free stuff?\n    Ms. Tavenner. So, I'll remind you that you signed, when you \ncomplete the application, that this is under law, perjury, \nokay, so there are consequences to an individual who is not \ntruthful on their application.\n    Mr. McHenry. So what kind of enforcement are you going to \nhave on that truthfulness?\n    Ms. Tavenner. Obviously, we would follow law.\n    Mr. McHenry. Right. But you have to have people to execute \nthe following of the law. Are you going to ring them up and \nsay, hey, by the way, were you honest then this self-\nattestation?\n    Ms. Tavenner. Well, we will look at ways to verify.\n    Mr. McHenry. Oh, you'll look at it. Okay. We are talking \nabout this going into effect this fall. We wanted something a \nlittle more than a look for. What is your process to verify \nthat what they said was in fact true?\n    Ms. Tavenner. So, we--there are a couple of ways. \nObviously, we will verify first with the IRS, with SSA, \ninformation that's available. If we are not able to get \neverything we need there, we will work with private commercial \nproducts, such as Equifax.\n    Mr. McHenry. So, Equifax would have knowledge on whether an \nemployee of my brother's business was offered a health \ninsurance plan that was commensurate with the requirement under \nFederal law? Equifax would have that knowledge?\n    Ms. Tavenner. We are looking at a process and I'll be happy \nto get back to you with those details, so I need to get--walk \nyou through the process, and I'm happy to.\n    Mr. McHenry. I would think you would sort of think this \nthrough with this big announcement that we are going to waive \nthe employer mandate, right?\n    Ms. Tavenner. We are going----\n    Mr. McHenry. But you leave the individual mandate, so \npeople are required, under compulsion of the law, right, which \napparently you haven't thought about the enforcement of that \nlaw, which is sort of interesting, and maybe sort of liberating \nfor some people, by the way, that you still have it on the law, \nbut you don't have any enforcement mechanism.\n    Ms. Tavenner. And I'm happy to get back with you of that \nprocess.\n    Mr. McHenry. Well, I would hope you would get back with us, \nand I hope you would think more deeply about this. When you \ntestify to Congress about something this important, that you \nwould have taken a little bit of time to think through that \nverification process and that enforcement mechanism that you \nhave enormous authority, as well as the IRS, to enforce it.\n    And so, with that, Mr. Chairman, thank you for the \nindulgence of time, and I didn't get to the fullness of the \nquestions I had, but this--this is outrageous that the non-\nanswer that I was given. I appreciate the chairman's work on \nthis.\n    Mr. Lankford. Ms. Tavenner, about how much time do you \nneed, do you think, to be able to come back on his question?\n    Ms. Tavenner. Yes, a few days.\n    Mr. Lankford. A few days. Great. Thank you for that.\n    Mrs. Black.\n    Mrs. Black. Thank you, Mr. Chairman.\n    I want to thank you and the committee members for allowing \nme to sit on the committee and be able to ask questions to this \nvery important issue. I want to thank all of you for being here \nto testify as well.\n    This is something that is really very near and dear to my \nheart because I come from a State called Tennessee where we had \nTennCare. We had the pilot project. So I'm very familiar with a \nlot of what's going on.\n    As has been reported by one of the members of this \ncommittee, there has been a lot of information out there that I \nhave put out to say, there are questions that need to be \nanswered, and I'm glad that you're here today to answer those.\n    I do want to go back to say that it is very concerning that \nthere's a conflict. There's a conflict between what you say and \nwhat we read, and I want to start with the first of those, \nbecause I want to go back to a system of records notice, and it \nsays, and I quote, records are maintained with identifiers for \nall transactions for a period of 10 years after they are \nentered into the system. Records are housed in both active and \narchival files in accordance with the CMS data and document \nmanagement policies and standards.\n    It has been said over and over and over again by you, Ms. \nTavenner, that these records are not kept.\n    How is it that we see in the systems of records notice, \nthis is what we are being told, and yet you say--and this is \nwhy there is a lack of confidence in the people of this \ncountry, is that we don't have confidence that what we hear and \nwhat is actually there matches up.\n    Ms. Tavenner, can you address that?\n    Ms. Tavenner. Yes, Congresswoman, I can. I have said that \nwe do not store information in the hub. I have also said, and \nas obvious by what we supplied in our systems of record notice, \nthat we do store information on the marketplace, which is \nseparate from the hub.\n    Mrs. Black. So let's be very, very clear that this \ninformation is being stored. When we continue to say, oh, this \ninformation is not stored, I think there, that people then go, \noh, you're wrong in saying it's stored. It is stored, and we \nhave documentation.\n    Now, let me go to the second bullet.\n    Ms. Tavenner. Well, as I said in my opening testimony, \nthere are two systems, and it's important to understand that \none is the hub, which is a router, and the other is actually--\n--\n    Mrs. Black. Which is a router that has a lot of people \ninputting information and taking out information, so I'm still \nnot confident that what's been said here today, that all of \nthis is protected because I have additional questions, which I \nknow I won't have time to get to, about what are the background \nchecks? Who will have that access? But let me also go to the \nnext question on this, because it was referenced that there is \nno personal health information that is collected, and I want to \ngo to a documentation that was put out, I guess, about 2 weeks \nago, and this is--I am going to the section of verification of \neligibility for minimum essential coverage other than through \nan eligible employer-sponsored program, and I am in the \nsection, and I'll give you the number of that section, 155.320.\n    So, here is what it says, and I am reading out of the \nfourth paragraph in here that says, ``finally, we propose and \nadded a paragraph to provide consistent with 45 CFR,'' and \nthere is a lot of other. I won't go through that, and this is a \nquote, ``a health plan that is a government program providing \npublic benefits is expressly authorized to disclose personal \nhealth information, as that term is defined in 45 CFR 160.103, \nthat relates to eligibility for or enrollment in the health \nplan to HHS for verification of applicant's eligibility for \nminimal essential coverage as a part of the eligibility \ndetermination process for advanced payments for premium tax \ncredits.'' It specifically says in here that they are expressly \nauthorized to disclose private health information.\n    Can you speak to this?\n    Mr. Chao. I can answer this. You know, something--something \nlike a birth date that exists in one particular context can be \ntreated very differently and called and wrapped around, for \nexample, personal health information when it appears in another \ncontract--context, such as your health record. I think the \nminimum essential coverage, the intent is to check other \nsources of potential coverage to determine whether that \ncoverage would be duplicative, supplemental or contradictory to \nwhat the law has indicated that you cannot be in an exchange or \na marketplace benefit receiving a premium tax credit and \nenrolled in something else that's also a government program.\n    So, that information, when we check that, if you look at it \nin the context of how it's delivered to us, for example, from \nVA, it is part of the health record, but it is just the date of \neligibility. We don't hold any--you know, it's is a vernacular, \nyou know, kind of vocabulary contextual kind of issue, so it's \nnot clinically related. It is just a check on the status of \nyour eligibility.\n    Mrs. Black. Well, I hear what you're saying there, but this \nspecifically says, is expressly authorized to disclose personal \nhealth information.\n    Mr. Chao. Right, but I think you were----\n    Mrs. Black. Well, I am going to need to get--and we can \nhave another conversation here, but I am going to need to get \nassurances that when you have an expressed authorization to \ndisclose personal health information, that we give assurances \nto our constituents, my constituents that this information is \nnot going to be shared with people that shouldn't be getting \nit, and I don't still have assurances in what I am seeing here.\n    I think, Mr. Chairman, there needs to be many more of these \nhearings to--both for those Congressmen that are concerned \nabout this as well as more importantly my constituents in the \npublic who are really concerned about what has happened most \nrecently with the IRS and how information has not been \nprotected and people have been targeted, and likewise, I think \nthere are many more questions about navigators and what kinds \nof background checks they have, what kind of training they had, \nthis is something that certainly needs to be talked about a \nwhole lot more.\n    And again, I yield back. I know my time is up. Mr. \nChairman, once again, thank you for allowing me to be here at \nthis committee hearing.\n    Mr. Meehan. [presiding.] Okay. I thank the lady, and I \nthank the panel. I know we have gone through a lot of \nquestioning. There is just a few of us have some follow-up \nquestioning, and you will indulge me on that. I certainly--I \nmean, I want to echo the point that was just made by the \ngentlelady from Tennessee. I mean, this is not only the idea \nthat it's within the regulations that you published yourself, \nbut the concept that there are certainly circumstances where a \nlot of that can be done without the consent of the individual \nwhose records they are. I mean, this is--and I know it goes to \ncontractors, and nobody knows who those contractors are at this \npoint in time. And we are 75 days away from implementation and \nyou can't identify with specificity who it is who are some of \nthe contractors and what kind of things have been done, but I--\nto assure the credibility of their participation in the system.\n    But you talked about harmonizing, Mr. Chao and others, the \nwork that's going to be done among the various agencies in this \ndatabase, and, therefore, you are going to pull in the \nactivity. And I know the IRS has a system which has been \neffective or at least the more effective, but I look at the \nagency score cards, and I am talking about harmonization, and \nthis is the agency Federal department's and agency's cross \npriority goals in cybersecurity for the second quarter of 2013, \nso this is the most recent one. And when we begin to talk about \nthose who are on the scorecard, two of the poorest performers \nare HHS and the Social Security Administration, both performing \nunder the requirement that the executive branch will achieve 95 \npercent implementation of the cybersecurity capabilities.\n    So who's going to be, are we going to rise to the level of \nthe IRS, or is it going to be down to the lowest common \ndenominator with respect to the HHS and Social Security \nAdministration\n    Mr. Chao. I think, working with IRS, certainly I mentioned \nearlier, that they've set the bar for security and privacy of \nprotected, you know, information. You know, specifically in \ntheir case, under 6103 and based upon our experience, you know, \nworking with systems that process personally identifiable \ninformation relative to eligibility, particularly like Medicare \neligibility or enrollment dates and history of enrollments, \nwe--I can't speak for the HHS level. There are 11 operating \ndivisions or agencies within HHS of which CMS is just 1 of the \n11, so I don't know if that scorecard reflects, you know, the \nindividual CMS progress, but we can certainly look into that \nand get back to you.\n    Mr. Meehan. Well, two of the three components that are \ngoing to be critical among these are the worst performers, but \nlet's--let's on the part of this, is this is a dynamic network \nand people keep talking about the fact, well, information isn't \ngoing to be connected here or stored in one particular place, \nbut it's just once one has access into this system, \nparticularly in light now, the fact that it's going to have so \nmany different places in which responsibility for security will \nbe contained, including, as best as I can understand, the fact \nthat there are at least 15 States who will be operating their \nown exchanges.\n    And Mr. Duncan, maybe you can speak to some of this, but as \nplan management--Mr. Duncan, does plan management include \nsecurity?\n    Mr. Chao. I don't think Mr. Duncan can speak to that.\n    Mr. Meehan. Mr. Chao. Well, let me ask him this question as \ninspector general, does plan management include security?\n    Mr. Duncan. Plan management should be considered when you \nbuild any application; it should be baked into the application, \nfor sure.\n    Mr. Meehan. Mr. Chao, are you saying plan management does \nnot include security?\n    Mr. Chao. No, I'm saying it does include security, and plan \nmanagement is a core function inside the federally facility----\n    Mr. Meehan. Okay. Well, here I have--and this is the report \nof the GAO that was done recently establishing, it says, for \nthose 15 FEEs which States will assist with plan management \nfunctions, CMS will rely on the States to ensure the exchanges \nare ready by October 2013.\n    So, all of this work you are talking about, the fact of the \nmatter is there is 15 different States and you're basically \nsaying, Ms. Tavenner, well, we are going to rely on them. They \nare going to sign documents that say that they are okay, but we \nare going to rely on them. This is your document. Is that \naccurate? Ms. Tavenner.\n    Ms. Tavenner. I am trying to answer. Actually, it's a \nlittle more interactive than that. We have oversight. Even \nwhen--what we do is we allow State-based exchanges to build \ntheir own platform, but we also work closely with them both on \nsecurity plans, on plan management.\n    Mr. Meehan. And how closely have you worked? Let me go down \ninto the footnote, footnote 42. Seven of the 15 States \nsubmitted an application, were approved to assist and other \nplan management functions. Additional seven States were not \nrequired to submit an application, and CMS officials indicated \nthe agency has no formal monitoring relationship with the \nStates. Instead, CMS conducted a 1-day review of these States.\n    So here we have the greatest data hub--the greatest data \nhub that has ever been put together with private information in \nthe history of the government. It is going to be related back \nto your reliance on the States to do it. You say you have \noversight, and by the GAO's report, what was done with seven of \nthose States was you went and you spent one day on the review, \npresumably looking at a whole variety of issues, not just \nsecurity.\n    Ms. Tavenner. In this case, those seven States you're \ntalking about--I don't have the benefit of your document, in \nfront of me, but----\n    Mr. Meehan. This is the GAO report.\n    Mr. Dicken, you made the report.\n    Ms. Tavenner. Yes, I've read the report, but I'm just \nsaying I don't have that page in front me, but the seven page--\nthe seven States that you're referring to are actually \ninterested in doing plan management, which is the work with the \nissuers, which is a function they do today through their State \ninsurance commission, and so we do work closely with the \ninsurance commission.\n    Mr. Meehan. Well, what do you do to assure the security of \nthe system with them, because it seems to me that you are----\n    Ms. Tavenner. So the security of the system goes back to \nthe hub and accessing the hub, which is part of our plan. So \njust because they do plan management that's out of State, they \ndo not have a separate mechanism to enter the hub. To enter the \nhub the same way we've talked about, applies to all 50 States. \nThe two are not the same.\n    Mr. Chao. To add to that, we also conduct technical \nreviews, which include security components, and we sign the \nessential security documentation that's needed and agreements, \nsuch as computer matching agreements and data use agreements, \nwith all the States. So, there are other checks and balances \nthat are in place, you know, as I mentioned earlier, the \noverall security framework.\n    Mr. Meehan. What assurances do we have that the States are \ncapable to protect the system, at least at their entrance \npoint, and that your system is capable of protecting itself \nagainst the high level of--of effectively cyber attacks that \nare taking down the most sophisticated systems in the world.\n    Mr. Chao. I think with ingress points and connection points \nwith the federally operated IT and managed IT, I think we \ndefinitely apply, as you well know, under Homeland Security and \nat the department level and even at the agency level, lots of \ncontinuous monitoring of the networks and intrusion. I think \nthat----\n    Mr. Meehan. It's saying that--the report that I just have \nthat came down from the colleges says they can be months before \nanybody realizes that they are even in there.\n    Mr. Chao. And I'm saying that with regard to the ability to \nimpose the same Federal requirements on State systems and \nnetworks, I don't think we have applicable law that clears our \nability to impose that on States, other than asking them to \nsign agreements.\n    Mr. Meehan. My time is expired, and I need to respect the \ntime.\n    So I will turn it over to the gentlelady from California, \nMs. Speier.\n    Ms. Speier. Mr. Chairman, thank you.\n    You know, when Medicare was first passed as a law, there \nwere huge cries by many in Congress about how it was going to \nbe horrific and bring socialism into this country. Fast forward \nto when we were debating the Affordable Care Act and signs \nacross this country and at town halls that I was party to were \nsigns that said, ``Don't touch my Medicare.'' I believe that \nthere will be a time when the signs will be, ``Don't touch my \nACA benefits.''\n    I am really apologizing to each of you for what I think has \nbeen a counterproductive engagement today. I think most of what \nhas happened has been efforts to throw sand into the gears, and \nI don't think that's what this committee is supposed to do. We \nare supposed to drill down, to find out whether or not there \nare any oversights, and if there are, help you fix those \noversights.\n    I have a lot of confidence in what you're doing. It is not \ngoing to be perfect out of the shoot, it just isn't, and I \nthink we do great harm when we continue to spew out lies, much \nlike the lies about the death panels. For those that have an \nagenda to dismantle the Affordable Care Act, this is not where \nthey need to be. For those that want to make sure it works \nsuccessfully, this is where they should be, and I want to thank \neach and every one of you for your efforts to try and make this \na successful one.\n    Now, I would like to ask one question. As you have weighed \nin, as you have dived deeply into this, implementation, is \nthere is a particular area that you have some concerns about \nthat we haven't addressed that we should address either by \nlegislation or by information that we convey to our \nconstituents?\n    Ms. Tavenner. I thank you for your support, and I would say \nthat our biggest concern is that we have adequate resources to \ndo the--to do the work. The President's budget has proposed \nresources for 2014. It is important, if you want, and we want \nto take privacy and security seriously, we need to have the \nresources to be able to do that, and so I would appreciate your \nsupport in that area, and I thank you for your earlier \ncomments.\n    We have a great team at CMS, and we are working very hard, \nand we look forward to October 1st.\n    Ms. Speier. Anyone else?\n    Yes, Mr. Milholland.\n    Mr. Milholland. As Mr. Werfel also commented about the \nbudget issues, their primary concern is resources also, so I \nwould echo Ms. Tavenner's comments.\n    Ms. Speier. Mr. Duncan.\n    Mr. Duncan. Yes. The inspector general has three basic \nconcerns, and I think I mentioned those in my initial \ntestimony, but I'll recap them. The protection of Federal tax \ndata at exchanges, we believe, is a very specific requirement. \nThe safeguards program at the IRS, we are currently doing an \naudit of that program as we speak, and we think they are going \nto need the resources and funding to expand significantly to \ncover the additional State exchanges and its very specific \nrequirements, as has been talked about before for that.\n    Also, the fraud prevention systems, that they're ready by \nJanuary of 2015, that's the return review program at the IRS, \nwhich brings analytics and stops the refund from going out the \ndoor, not after the fact and try to recoup it after the money \nis sent out. And also, the thing we've been talking about quite \noften, which is the interagency testing--this is all the \ncomponents, including the IRS, that there is sufficient testing \nfor the entire system, not just the pieces. Those would be my \nthree concerns.\n    Ms. Speier. All right. Thank you.\n    Anyone else?\n    Mr. Dicken. I can just note from our GAO report, you know, \nI think we highlight, I have two key areas that are remaining \nthat are key for the October 1st implementation. We certainly \ntalked a lot today about the data hub as a key tool for that. \nWe talked now some about plan management as a separate core \nfunction. The last core function that we spoke to was consumer \nassistance. That's an area where much of that is happening \nbefore October 1st and certainly another core area where there \nhave been some delays and then core activities that need to \ntake place by October 1st.\n    Ms. Speier. All right. Mr. Chairman, let me just end by \nsharing three quotations about how people were so exercised \nabout Medicare when it was being contemplated. Ronald Reagan, \nin 1961, said, ``If you don't stop Medicare, one of these days \nyou and I are going to spend our sunset years telling our \nchildren and our children's children what it once was like in \nAmerica when men were free.''\n    George H. W. Bush, in 1964, described Medicare as \nsocialized medicine.\n    Barry Goldwater said, in 1964, ``Having given our \npensioners their Medical care in kind, why not food baskets, \nwhy not public housing accommodations, why not vacation \nresorts, why not a ration of cigarettes for those who smoke and \nbeer for those who drink?''\n    We really have got to get beyond the rhetoric----\n    Mr. Jordan. Would the gentlelady yield for a question?\n    Ms. Speier. I am just closing. You can certainly carry on \nin your recount, but I would just say, rhetoric is not what we \nneed to be talking about today. What we need to be talking \nabout is the sum and substance of how we make this operate \neffectively, efficiently with privacy concerns resolved, with \nsecurity concerns resolved and with the understanding that the \nfraud that may occur, if it is fraud, or just a misassessment \nof what one's salary is, is that, at the end, it is going to be \nfigured out and payments will be made back to the U.S. Treasury \nfor the fraud that may have occurred when someone said they \nwere making less when they were really making more.\n    Now, any other fraud that occurs, it may be a subject that \nwe would have to discuss further, but at this point, Mr. \nChairman, I thank you for chairing this hearing, and you know, \nwe have had a great relationship and I look forward to more of \nthe same.\n    Mr. Lankford. [Presiding.] Thank you.\n    Let me ask a couple of questions here. We are getting close \nbecause I know you all have been at this a very long time. The \nverification that they qualify for a subsidy, is that done at \nthe exchange level or CMS? Who verifies that they qualify?\n    Mr. Chao. The verification services are processed by CMS \nsystems for Federally Facilitated Marketplaces and via the hub \nconnecting to the income verification sources.\n    Mr. Lankford. Okay.\n    Mr. Chao. For State-based marketplaces, they do that \nthemselves connected to the hub via income sources.\n    Mr. Lankford. So, with that, they've got to have access to \nall of that raw data to be able to make a decision. They are \nnot just getting yes-no answers. When they pull data, they're \npulling data, so it's entering fields.\n    Mr. Chao. Yes, but it's also--I don't want folks to think \nthat it's a whole array of tax return information or health \nrecords.\n    Mr. Lankford. Can we get a----\n    Mr. Chao. It's very narrow.\n    Mr. Lankford. Can we get a list, as it stands at this point \nright now, what information is coming down? Because I assume \nit's on their 1040, line 47, such and such, this data is made \navailable. I'm trying to find out what is made available to an \nindividual in that. Because if the exchange makes the decision, \nthat means they've got to have access to the raw data.\n    Ms. Tavenner. We can get you information----\n    Mr. Lankford. That would be terrific. And just on the broad \nrange, I'm sure it's all been laid out at this point, \nobviously, to know what all that involves on it.\n    This came up earlier, Ms. Tavenner, about the delay in the \nemployer mandate. You had mentioned late June, June 24th, that \nyou had received notification that that was going to be \ndelayed.\n    Ms. Tavenner. Let me be clear. June 24th or June 25th.\n    Mr. Lankford. That's fine.\n    Ms. Tavenner. I'm not sure which day.\n    Mr. Lankford. Yeah, that's fine. Yeah, I wouldn't hold you \naccountable to that, one way or the other.\n    But the question is, this has to be an ongoing part of the \nconversation. This was not a sudden decision late in June, that \nthe administration thought this was a bad idea, let's delay it. \nThere were a lot of factors that went into it.\n    Was the creation of this data hub and some of the \nconnections between the employers submitting information about \ntheir insurance and what insurance that they're providing to \nemployees and the complicated nature of that, was that a part \nof this conversation?\n    Did CMS or IRS have conversations with the administration \nto say, ``We've got all of this together. This is coming \ntogether well. We don't yet know yet how we're going to get \nemployers to tell us their information on the employees''?\n    Ms. Tavenner. Mr. Chairman, I cannot speak for IRS, but we \ndid not have conversation.\n    Mr. Lankford. So the first you'd heard about this at all or \npeople at CMS had heard about this at all was June 24th or \n25th?\n    Ms. Tavenner. The first I heard of it.\n    Mr. Lankford. Okay.\n    Would the IRS side--where are you? Because, at some point, \nit sounds like there will be--employers will have to submit, \n``My employee has been offered this coverage.'' Is that system \nin place? Is IRS prepared to be able to do that yet?\n    Mr. Milholland. That particular deliverable is 2015. This \ndirection to move it to the right slides that, I think it was \nroughly about 6 months, if I recall correctly.\n    But, in any case, the IRS has to be prepared on day one \nwith respect to those employers who choose to voluntarily \nprovide the information. So the fact that Treasury moved the \nrequirement to the right for----\n    Mr. Lankford. No, my question is, was there dialogue \nbetween IRS, Administration, Treasury, whoever it may be, to be \nable to voice, ``We don't have a mechanism to yet be able to \nverify this with the employers''? So was that a part of the \nconversation?\n    Mr. Milholland. That----\n    Mr. Lankford. Has there been a notification back? Because \nthat, as you said, is voluntary at this point. That has all \nbeen moved a year back. What was the dialogue in advance.\n    Mr. Milholland. I was not privy to that conversation.\n    Mr. Lankford. Okay. Is there a mechanism in place--was \nthere a plan to have a mechanism in place for 2014 for \nemployers to be able to verify their employees do have \nqualified health plans?\n    Mr. Milholland. The mechanism that was to be in place was \nthat they would report to the IRS.\n    Mr. Lankford. Right.\n    Mr. Milholland. And, I mean, that was part of the \nrequirements----\n    Mr. Lankford. Is that mechanism in place now?\n    Mr. Milholland. No, it's not.\n    Mr. Lankford. Okay. When did that get pulled? Because I'm \nsure that didn't get pulled June the 24th or 25th, as far as \nrequiring that field to be turned in.\n    Mr. Milholland. But it's part of the release that will come \nlater, 2015. I mean, it's not in the system as of October 1, \nwhich we're doing this year.\n    Mr. Lankford. Right, I understand the date's been moved on \nit. Prior to the 3rd of July, when it was announced that it's \ngoing to be delayed, was this planned to be a part of the IRS \nreporting system----\n    Mr. Milholland. The----\n    Mr. Lankford. --that employers would report starting in \nthis year?\n    Mr. Milholland. It was part of our plan but not to be \nimplemented this year.\n    Mr. Lankford. So, regardless, employers weren't going to \nreport either way?\n    Mr. Milholland. That's correct, this year.\n    Mr. Lankford. Okay. So the delay that's occurred, to say \nwe're not going to require that of employers this year, already \nlines up with what happening with data anyway? Or there was a \nchange in the plan to gather data this year? That's what I'm \ntrying to determine.\n    Mr. Milholland. I'm not sure I fully understand your \nquestion. I would just say again that the implementation of \nthat employer reporting wouldn't happen until 2015.\n    Mr. Lankford. And that was the plan from the beginning?\n    Mr. Milholland. From the beginning, yes, sir.\n    Mr. Lankford. Okay. That's what I'm--that's all I'm trying \nto be able to determine from there.\n    Ms. Tavenner, you mentioned earlier that there are third-\nparty sources of financial information. You mentioned even \nEquifax or some other outside organization. What's the \nconnection there on the database with third-party \norganizations?\n    Mr. Chao. We're looking--because there was talk of the \nrequirement to have, you know, kind of, employer offering of \ncoverage, we tried to look at our current contractor \ncapabilities to see if there was some commercially available \nway to do that. And it's just in conversation and discussion \nright now.\n    Absent of, you know, when things were known or not known, \nit was just--you know, for me, it was understanding the \nrequirement and seeing if there's a data source that's \navailable.\n    Mr. Lankford. And is that a hub-type relationship, to be \nable to pull data when it's needed? Or is it a matter of \ngetting data from them to be able to put on to the other piece? \nBecause we've talked about two different functions here.\n    Mr. Chao. Yes, pulling--it would be connected to the hub to \npull that data from the----\n    Mr. Lankford. There's a tremendous amount of credit \ninformation out there that's in error, obviously. What I'm \ntrying to determine is, now that we're fighting off three \ndifferent agencies that have credit information, trying to get \nthings fixed, we would now have to also add CMS into that mix, \nas well? That if there's an error in my system, how would \npeople know what is there----\n    Mr. Chao. I----\n    Mr. Lankford. --and whether they'd been accepted or denied? \nAnd how would they get that fixed?\n    Mr. Chao. Chairman, I believe that when the--you know, \nsaying ``Equifax'' and ``credit report'' is almost synonymous \nthese days. When we work with a company, Equifax, they have \nlots of data sources that they make available.\n    Mr. Lankford. Right.\n    Mr. Chao. I think the employer offer of coverage, that \npotential for having that data, is part of their overall \nworking with employers to pull payroll information to help \nservice benefit administration, you know, kind of, practices \nfor large employers for their employees. I don't think it falls \nunder the FCRA, kind of, realm of----\n    Mr. Lankford. Right. But the thought on it is--well, \nthere's a whole bunch of issues. Just false information at all \nis hard enough to be able to track on it.\n    But the thought is here, if they work for this certain \nemployer, then they have been offered care, is the assumption \nthere? Or is Equifax assuming that they'll be somehow reported, \nthere's an employee that works for me, this was one was \noffered, this one wasn't? Is it just a matter of they have \npayroll data so they're paid by this company, this company has \na qualified health plan, so they must have been offered? Is \nthat just the assumption?\n    Mr. Chao. Based on conversation with Equifax, they are \nhaving conversations with their employer clients that have this \ndata relationship, and they're seeing if that's something that \nthe employer community wants to provide as a service or a \nbenefit to their employees so that they don't have to \nconstantly answer questions and queries about coming back to \nthem about offer of coverage.\n    Mr. Lankford. Okay.\n    One last question, and then Mr. Jordan, I think, has some \nwrap-up. And we need to get you all out of here, obviously.\n    The individuals within the exchanges--and we've got an \nauthorized user that's been authenticated. They've signed in. \nWe know who they are; yes, they're one of ours. In a State, \nthey're viewing data trying to make a decision; let's say this \nis something that's not automated.\n    I assume most of the decisions are going to be made with \nparameters and it's going to be automated. Is that your \nassumption, as well?\n    Ms. Tavenner. We are certainly going to encourage \nautomation.\n    Mr. Lankford. Yeah, I would assume the vast majority--you \nhave millions of people coming through. Especially initially, \nthose decisions aren't going to be made on someone's desk with \na big stack.\n    Ms. Tavenner. But it will no doubt be a combination of \nmanual and automation.\n    Mr. Lankford. Okay. So that individual that's there within \na State that's making a decision on it has access to all that \ninformation. The challenge becomes, do we have a system in \nplace for background checks for those individuals, limiting \nthose individuals?\n    If we visit with NSA, they can tell us exactly how many \npeople have access to that information. And every time that \ninformation is accessed, there's an accountability process with \nit. What I'm trying to determine is, there are occasionally \nauthorized users that do have access to it but they use it in \nan unauthorized way, if that makes sense.\n    Ms. Tavenner. So they're--and I think the question you're \nasking is, who would help someone with an application?\n    Mr. Lankford. No, not necessarily. No, it's an individual \nthat has access to the information; they're authenticated as a \nperson that is an employee there, whether it be a private \ncontractor that works for a State or a State employees that's \nbeen authorized to be a part of the exchange. They have access \nto that information.\n    What boundaries are there that they don't use that \ninformation for unauthorized purposes?\n    Mr. Chao. From a program management perspective, when I \ntalked about the harmonized security and privacy framework--and \nI did mention that there are some things that we cannot \nnecessarily enforce upon States, but we can sign agreements \nwith them. And in signing these agreements, they abide by \ncertain security controls and thresholds that they, in essence, \npromise to uphold as part of the security practices.\n    Now, in the world of security and cybersecurity and \nawareness today and security policies and imposing this \noperationally, if you look at the multiple security frameworks \nthat are available--Federal Government, State government, and \ncommercial--there is a significant overlap, in that we adopt \nthe same controls, such as, you know, access management, \nauthentication to a certain degree of assurance in authorizing \ntheir entrance into the systems. So we're in agreement on a \nvery vast majority--large, vast majority of controls that are \napplied.\n    Mr. Lankford. Right. I'm talking about just the background \nof how do we show that this person, once they've accessed data, \nthat data that they accessed is for official purposes, not \nunofficial purposes. Because you now have data that was \npreviously in a closed system that's opening up a little bit to \nnew people that have been accessing information. So it's--am I \nmaking sense on that?\n    Mr. Chao. Yes. Well----\n    Mr. Lankford. Again, it's an authenticated user. It's just \nnot using it for authorized purposes.\n    Mr. Chao. I think we have, you know, other security \nmonitoring tools. We look at behaviors and trends in how people \nare using the system and----\n    Mr. Lankford. Right. We'll follow up on that in the days to \ncome.\n    The SPR that we talked about, Safeguard Procedures Report, \nhow many States currently have that, that that is done and \ncomplete?\n    Mr. Milholland. Mr. Chairman, I'm told that all 15 have \nsubmitted.\n    Mr. Lankford. All 15 are done?\n    Mr. Milholland. Yes. And I believe the Federal exchange has \nalso.\n    Is that correct?\n    Yes.\n    Mr. Lankford. I would hope that would be the easiest of all \nof them.\n    Mr. Milholland. I would also add that we've begun our \nState-by-State or exchange-by-exchange safeguards reviews, \nliterally, this week.\n    Mr. Lankford. Well, that would be one to watch for, just \nunauthorized use for unauthorized purposes is one to be able to \nwatch and to be able to track on it.\n    How many--by the way, on all of our States now for \nexchanges--this is off topic. I'm going to change to Mr. \nJordan, because we've got to go.\n    Do all of our States have more than one option on the \nexchange, at this point? Are there States that, when they get \nto the exchange, will only have one option when they get to the \nexchange?\n    Ms. Tavenner. You're talking about insurers now?\n    Mr. Lankford. Yes, ma'am.\n    Ms. Tavenner. We will not have all of that data until the \nend of July. But we are currently--and I think this State has \nbeen in the press. The State that we are most concerned about \nis Mississippi.\n    Mr. Lankford. Okay.\n    Ms. Tavenner. Otherwise----\n    Mr. Lankford. So that it looks like all States will have \nmore than one option on the exchange?\n    Ms. Tavenner. Correct.\n    Mr. Lankford. Okay. Thank you.\n    Mr. Jordan?\n    Mr. Jordan. Thank you, Mr. Chairman.\n    I just want to go back to where the chairman was and be \nclear. Ms. Tavenner, were you consulted at all before the \ndecision was made to delay the employer mandate?\n    Ms. Tavenner. I was not consulted. Now, part of that, in \nfairness, was I was also on vacation at the time. So I was \nactually notified while I was on vacation.\n    Mr. Jordan. Yeah. So you were notified. So you had a cell \nphone. So they got a hold of you, they could talk. I mean, \nyou're the head of CMS, and you weren't even--they didn't even \ntalk to you before they made this decision?\n    Ms. Tavenner. I think the decision was made with IRS as a \npredominantly----\n    Mr. Lankford. Mr. Chao, did they talk to you? Were you \nconsulted before the White House decided to do this?\n    Mr. Chao. No.\n    Mr. Jordan. Mr. Milholland, were you consulted?\n    Mr. Milholland. No, sir.\n    Mr. Jordan. You weren't consulted?\n    Mr. Milholland. No, sir.\n    Mr. Jordan. Mr. Werfel told us--told me about an hour ago \nyou were the expert, and they didn't even call you?\n    Mr. Milholland. I was not consulted.\n    Mr. Jordan. Was Mr.--to your knowledge, was Mr. Werfel \nconsulted?\n    Mr. Milholland. I believe Mr. Werfel said he received \nnotification on----\n    Mr. Jordan. So none of the people who are going to be \nimplementing this were even asked, is this the right move?\n    Was Sarah Hall--to your knowledge, Mr. Milholland, was \nSarah Hall Ingram consulted?\n    Mr. Milholland. I do not know.\n    Mr. Jordan. That's amazing to me.\n    You know, Ms. Speier talked about folks who want to throw a \ntrain wreck into--or throw a--mixed metaphor--throw sands into \nthe gears. I would just remind, it hasn't been Republicans \nwho--and we have Mr. Baucus, one of the architects of the law, \ncalling it a train wreck. We have the President suspending the \nlaw without consulting the people who have to actually make it \nwork.\n    Mr. Chao, you made a statement back in March that you hoped \nthe exchanges wouldn't be a, quote, ``third-world experience.'' \nSo you obviously had some knowledge and some concerns to prompt \nthat statement. Are those concerns still relevant, still valid?\n    Mr. Chao. I was speaking before an audience of issuers that \nI had spoken to before, and it was a poor attempt at humor. So \nI wouldn't necessarily----\n    Mr. Jordan. I don't know that it was a poor attempt at \nhumor. It may have been--you know, you may have been a \nvisionary, you may have been a prophet.\n    I mean, this is--the fact that they didn't even talk to you \nis what I think is amazing. You don't talk to the head of CMS, \nyou don't talk to the head of the IRS, you don't talk to the \nperson at the IRS who is actually in charge of the Affordable \nCare Act Office, you don't talk to the technical database \nexpert, Mr. Milholland. You just decide one day you're going to \nwaive part of the law.\n    I mean, we had the previous Democrat talk about when \nMedicare was--I'd be your curious to know if the President at \nthe time Medicare was implemented, if he asked for a delay in \nthe law. Maybe he did, but I don't know about it.\n    This is amazing.\n    But let me ask you one specific question, Ms. Tavenner. In \nFebruary of this year, HHS System of Records Notice includes \nthe following statement: ``The Secretary''--you--``along with \nother appropriate agencies, will establish an appeals process \nfor individuals and employers when eligibility is denied as a \nresult of inconsistencies between information obtained from \napplicants and enrollees and employers and information and data \nverified through the exchange.''\n    I have no idea what all that means; I hope you can tell me. \nMaybe you can define what ``inconsistencies'' are. Do you have \na list of what those may be? You obviously anticipate problems \nbecause you're setting up an appeals process, so can you give \nme some insight into that?\n    Ms. Tavenner. So the appeals process is required in the \nlaw, but I will remind you, there's also an appeals process \ntoday in Medicaid and CHIP and other programs, because \nsometimes----\n    Mr. Jordan. I understand that. Do you have--but, I mean, \nspecifically, what are you thinking about? Obviously, you think \nthat it's going to happen. The law requires you have some kind \nof appeals process. That makes sense to me; we understand that. \nWhat are some of the anticipated inconsistencies?\n    Ms. Tavenner. So I think perhaps people submit information \nand they get denied, and they believe their information was \nincorrect and they want to bring new information forward. But \nI'll be happy to get you a list.\n    Mr. Jordan. So you don't know what the list is. You just \nuse the term ``inconsistency'' because you anticipate there's \ngoing to be problems.\n    Ms. Tavenner. No, we're----\n    Mr. Jordan. You anticipate this, in fact, could be a train \nwreck. You anticipate, in fact, this could be a third-world \nexperience.\n    Ms. Tavenner. I do not anticipate that. And the--we are \ncurrently in rulemaking on the appeals process, and the final \nrule will be out shortly.\n    Mr. Jordan. Do you think the--do you think everything could \nbe up and running, working on October 1st, and the start of \nnext year, this law can be fully implemented, working, you \nthink it can all function the way it's supposed to, the way the \nfolks who voted for it designed it to, do you think that can \nall happen?\n    Ms. Tavenner. Yes, sir. You know, my background has been--\n--\n    Mr. Jordan. Okay. So if you think that can all work, you \nwould think the administration would call you up and consult \nwith you before they decided to say, ``You know what? We don't \nthink it can, and we're going to delay part of it.'' That seems \nlogical to me, doesn't it?\n    Doesn't that seem logical to you, that you, the person in \ncharge of it, would be called, would be consulted? Don't you \nthink it makes sense for you to be consulted before a major \ndecision, a major element of the law is simply waived for a \nyear?\n    Ms. Tavenner. The employer mandate rests within IRS----\n    Mr. Jordan. That's not what I asked. Don't you think it \nmakes sense for you, the head of CMS, charged with implementing \nthis law, don't you think it makes sense for you to be \nconsulted?\n    Because if you don't, then that's scary, too. If you don't \nthink, as the person who heads CMS, you should be consulted \nbefore a major decision to unilaterally just delay part of the \nlaw should take place, if you don't think you should be \nconsulted, then I've got concerns on that side, as well.\n    So do you think you should've been consulted?\n    Ms. Tavenner. I think I've been consulted all along.\n    Mr. Jordan. Well, no, that's not--you just told me--4 \nminutes ago, you just told me you weren't consulted.\n    Ms. Tavenner. I'm----\n    Mr. Jordan. So which one is it? Because you have to tell us \nwhat really happened. You can't have it both ways. Were you \nconsulted or weren't you consulted?\n    Ms. Tavenner. I was not consulted. I'm just saying that----\n    Mr. Jordan. Well, then----\n    Ms. Tavenner. --in the last year----\n    Mr. Jordan. Now, wait a minute. So, then, 10 seconds ago, \nyou just said you were.\n    Mr. Lankford. I'll ask the gentleman to let her answer.\n    Ms. Tavenner. Please let me finish my sentence.\n    Mr. Jordan. I want you to finish, and I just want you to \nfinish it truthfully, because you've told me two different \nthings.\n    Ms. Tavenner. Well, I take objection to that, because I've \ntold you the truth.\n    Mr. Jordan. We can read the transcript.\n    Mr. Lankford. I would ask the gentleman to let her finish \nanswering.\n    Ms. Tavenner. Thank you.\n    So the last 3-1/2 years, I actually started----\n    Mr. Jordan. I want you to answer one question. Were you \nconsulted or not? And now I'll let you answer.\n    Ms. Tavenner. I've said I was----\n    Mr. Jordan. Were you consulted?\n    Ms. Tavenner. --not consulted.\n    Mr. Jordan. Okay. Thank you.\n    Thank you, Mr. Chairman.\n    Ms. Tavenner. And I guess I won't get to finish my----\n    Mr. Lankford. No, go ahead. You can respond.\n    Ms. Tavenner. For the last 3-1/2 years, I've worked at CMS. \nI started at the time that the rule--that the law was actually \npassed. And I have been an integral part of every decision \nthat's made.\n    In the case of the IRS and the employer mandate, I was not \nconsulted.\n    I do feel like I'm part of the process.\n    Thank you.\n    Mr. Lankford. And, by the way, we assumed you are part of \nthe process. You have been an integral part of that. That's \nsomewhat the surprise to us. We're trying to figure out where \nthis came from. And it is a major shift in what's happening. \nAnd we assumed there was some conversation in trying to figure \nout the whys and the whats with it. And that clarification has \nnot come. We've also written letters to the administration to \ntry to get some clarification. So it's not just on you. It's a \nsurprise, as well. We would assume that IRS and CMS would be \nconsulted on this process and would be a part of the decision-\nmaking.\n    You all have had a very long day. I appreciate you being \nhere. I hope you get a nice, relaxing lunch where it's quiet \nand to be able to get some time away on that.\n    With that, this hearing is adjourned.\n    [Whereupon, at 1:10 p.m., the subcommittees were \nadjourned.]\n\n\n\n                                APPENDIX\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"