[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 
   EVALUATING PRIVACY, SECURITY, AND FRAUD CONCERNS WITH OBAMACARE'S 
                     INFORMATION SHARING APPARATUS 

=======================================================================

                             JOINT HEARING

                               before the

                     SUBCOMMITTEE ON ENERGY POLICY,
                      HEALTH CARE AND ENTITLEMENTS

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                                and the

                     SUBCOMMITTEE ON CYBERSECURITY,
                       INFRASTRUCTURE PROTECTION,
                       AND SECURITY TECHNOLOGIES

                                 of the

                     COMMITTEE ON HOMELAND SECURITY

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 17, 2013

                               __________

                           Serial No. 113-66

             (Committee on Oversight and Government Reform)

                           Serial No. 113-25

                    (Committee on Homeland Security)

Printed for the use of the Committee on Oversight and Government Reform

         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform

                               ----------
                         U.S. GOVERNMENT PRINTING OFFICE 

86-193 PDF                       WASHINGTON : 2014 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Printing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001


              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                 DARRELL E. ISSA, California, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee       CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina   ELEANOR HOLMES NORTON, District of 
JIM JORDAN, Ohio                         Columbia
JASON CHAFFETZ, Utah                 JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan                WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma             STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan               JIM COOPER, Tennessee
PAUL A. GOSAR, Arizona               GERALD E. CONNOLLY, Virginia
PATRICK MEEHAN, Pennsylvania         JACKIE SPEIER, California
SCOTT DesJARLAIS, Tennessee          MATTHEW A. CARTWRIGHT, 
TREY GOWDY, South Carolina               Pennsylvania
BLAKE FARENTHOLD, Texas              MARK POCAN, Wisconsin
DOC HASTINGS, Washington             TAMMY DUCKWORTH, Illinois
CYNTHIA M. LUMMIS, Wyoming           ROBIN L. KELLY, Illinois
ROB WOODALL, Georgia                 DANNY K. DAVIS, Illinois
THOMAS MASSIE, Kentucky              PETER WELCH, Vermont
DOUG COLLINS, Georgia                TONY CARDENAS, California
MARK MEADOWS, North Carolina         STEVEN A. HORSFORD, Nevada
KERRY L. BENTIVOLIO, Michigan        MICHELLE LUJAN GRISHAM, New Mexico
RON DeSANTIS, Florida

                   Lawrence J. Brady, Staff Director
                John D. Cuaderes, Deputy Staff Director
                    Stephen Castor, General Counsel
                       Linda A. Good, Chief Clerk
                 David Rapallo, Minority Staff Director

      Subcommittee on Energy Policy, Health Care and Entitlements

                   JAMES LANKFORD, Oklahoma, Chairman
PATRICK T. McHENRY, North Carolina   JACKIE SPEIER, California, Ranking 
PAUL GOSAR, Arizona                      Minority Member
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
JASON CHAFFETZ, Utah                     Columbia
TIM WALBERG, Michigan                JIM COOPER, Tennessee
PATRICK MEEHAN, Pennsylvania         MATTHEW CARTWRIGHT, Pennsylvania
SCOTT DesJARLAIS, Tennessee          TAMMY DUCKWORTH, Illinois
BLAKE FARENTHOLD, Texas              DANNY K. DAVIS, Illinois
DOC HASTINGS, Washington             TONY CARDENAS, California
ROB WOODALL, Georgia                 STEVEN A. HORSFORD, Nevada
THOMAS MASSIE, Kentucky              MICHELLE LUJAN GRISHAM, New Mexico
                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Paul C. Broun, Georgia               Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice    Brian Higgins, New York
    Chair                            Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania         William R. Keating, Massachusetts
Jeff Duncan, South Carolina          Ron Barber, Arizona
Tom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah                 Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi       Tulsi Gabbard, Hawaii
Lou Barletta, Pennsylvania           Filemon Vela, Texas
Chris Stewart, Utah                  Steven A. Horsford, Nevada
Richard Hudson, North Carolina       Eric Swalwell, California
Steve Daines, Montana
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
Mark Sanford, South Carolina
                       Greg Hill, Chief of Staff
          Michael Geffroy, Deputy Chief of Staff/Chief Counsel
                    Michael S. Twinchek, Chief Clerk
                 Lanier Avant, Minority Staff Director

SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY 
                              TECHNOLOGIES

                 Patrick Meehan, Pennsylvania, Chairman
Mike Rogers, Alabama                 Yvette D. Clarke, New York
Tom Marino, Pennsylvania             William R. Keating, Massachusetts
Jason Chaffetz, Utah                 Filemon Vela, Texas
Steve Daines, Montana                Steven A. Horsford, Nevada
Scott Perry, Pennsylvania            Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
               Alex Manning, Subcommittee Staff Director
                    Dennis Terry, Subcommittee Clerk



                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 17, 2013....................................     1

                               WITNESSES

Mr. Alan R. Duncan, Assistant Inspector General for Security and 
  Information Technology Services, Treasury Inspector General for 
  Tax Administration
    Oral Statement...............................................     9
    Written Statement............................................    11
The Hon. Daniel Werfel, Principal Deputy Commissioner, Internal 
  Revenue Service
    Oral Statement...............................................    22
    Written Statement............................................    24
The Hon. Marilyn B. Tavenner, Administrator, Centers for Medicare 
  and Medicaid Services, U.S. Department of Health and Human 
  Services
    Oral Statement...............................................    29
    Written Statement............................................    31
Mr. John Dicken, Director, Health Care, U.S. Government 
  Accountability Office
    Oral Statement...............................................    39
    Written Statement............................................    41

                                APPENDIX

Letter from Mr. Daniel I. Werfel.................................   101
Opening Statement from Ranking Member Yvette D. Clarke...........   102
ACA Implementation IRS Oversight Board Briefing submitted by Mr. 
  Jordan.........................................................   103
Statement for the Record submitted by Ranking Member Bennie G. 
  Thompson.......................................................   113


   EVALUATING PRIVACY, SECURITY, AND FRAUD CONCERNS WITH OBAMACARE'S 
                     INFORMATION SHARING APPARATUS

                              ----------                              


                        Wednesday, July 17, 2013

                  House of Representatives,
    Subcommittee on Energy Policy, Health Care and 
Entitlements, Committee on Oversight and Government 
                             Reform, joint with the
 Subcommittee on Cybersecurity, Infrastructure Protection, 
 and Security Technologies, Committee on Homeland Security,
                                                   Washington, D.C.
    The subcommittees met, pursuant to call, at 10:00 a.m., in 
Room 2154, Rayburn House Office Building, Hon. James Lankford 
[chairman of the Subcommittee on Energy Policy, Health Care and 
Entitlements, Committee on Oversight and Government Reform] 
presiding.
    Present: Representatives Lankford, Meehan, Gosar, McHenry, 
Jordan, Walberg, DesJarlais, Perry, Woodall, Black, Issa (ex 
officio), Speier, Clarke, Cardenas, Lujan Grisham, Maloney, and 
Cummings (ex officio).
    Staff present from the Committee on Government Reform: Kurt 
Bardella, Senior Policy Advisor; Brian Blase, Senior 
Professional Staff Member; Molly Boyl, Senior counsel and 
Parliamentarian; Lawrence J. Brady, Staff Director; Caitlin 
Carroll, Deputy Press Secretary; Katelyn E. Christ, 
Professional Staff Member; John Cuaderes, Deputy Staff 
Director; Adam P. Fromm, Director of member Services and 
Committee Operations; Linda Good, Chief Clerk; Meinan Goto, 
Professional Staff Member; Tyler Grimm, Senior Professional 
Staff Member; Christopher Hixon, Deputy Chief Counsel, 
Oversight; Mark D. Marin, Director of Oversight; Emily Martin, 
Counsel; Scott Schmidt, Deputy Director of Digital Strategy; 
Rebecca Watkins, Deputy Director of Communications; Jaron 
Bourke, Minority Director of Administration; Yvette Cravins, 
Minority Counsel; Susanne Sachsman Grooms, Minority Deputy 
Staff Director/Chief Counsel; Adam Koshkin, Minority Research 
Assistant; Suzanne Owen, Minority Health Policy Advisor; Safiya 
Simmons, Minority Press Secretary; and Mark Stephenson, 
Minority Director of Legislation.
    Staff present from the Committee on Homeland Security: Alex 
Manning, Subcommittee Staff Director; Kevin Gundersen, Senior 
Professional Staff Member; Erik Peterson, Staff Assistant; 
Margaret Anne Moore, Special Assistant to the Chief of Staff; 
Michael McAdams, Deputy Press Secretary; Natalie Nixon, Deputy 
Chief Clerk; Christopher Schepis, Minority Senior Professional 
Staff Member; and Adam Comis, Minority Communications Director.
    Mr. Lankford. Committee will come to order. I would like to 
begin this hearing by stating the Oversight Committee mission 
statement. We exist to secure two fundamental principles. 
First, Americans have the right to know the money Washington 
takes from them is well spent. Second, Americans deserve an 
efficient, effective government that works for them. Our duty 
on the Oversight and Government Reform Committee is to protect 
these rights. Our solemn responsibility is to hold government 
accountable to taxpayers because taxpayers do have a right to 
know what they get from their government. We will work 
tirelessly in partnership with citizen watchdogs, deliver the 
facts to the American people, and bring genuine reform to the 
federal bureaucracy. This is the mission of the Oversight and 
Government Reform Committee.
    Today's hearing is focused on the purpose and design of the 
huge information-sharing apparatus being constructed to 
implement the Affordable Care Act. Therein, we'll examine who 
will have access to sensitive personal information, who will 
contribute data, how the government will protect this 
information, and why this information is necessary at all. We 
have the unusual combination of the IRS and HHS in our panel 
today because to accomplish the legal requirements of the ACA, 
it must work together to combine data from millions of people 
to allow exchanges to verify the subsidies and manage the 
intricacies of the Affordable Care Act.
    This is an oversight hearing on the implementation of the 
law as well as with Homeland Security. The people giving 
testimony today did not write the law. They are only trying to 
make this confusing system work, so we get that. So we'll have 
a lot of questions back and forth today to be able to process 
on how to get this accomplished. We are not going to try to 
hold you responsible for the origin of the law, but we will 
have decisions about the variety of decisions that you have 
made to prepare to implement and enforce the law.
    The other large amount of information sharing raises the 
risk of identity theft and other types of misuse. This risk is 
even more pronounced since the Department of Health and Human 
Services has missed several of their own self-imposed 
deadlines, and we'll want to know where we are on that.
    A document obtained for GAO revealed that as of April 2013, 
the department had only completed 20 percent of its work to 
establish appropriate privacy protections and capacity to 
accept, store, associate, and process documents from an 
individual applicant. Today, we hope to hear about the progress 
of the other 80 percent of that work. Two weeks ago, Treasury 
announced that they would delay the employer mandate until 
2015. Just days later, the administration released another 650 
pages of regulations that limited the degree of applicant 
verification required by exchanges during the first year of 
implementation.
    Instead of verifying, applicants will now be on the honor 
system for the subsidy. The potential for fraud and honest 
mistakes are multiplied since no one understands this law, the 
subsidies standards, how the administration defines a qualified 
employer health plan or a myriad of other issues.
    While I believe that the employer mandate is a terrible 
public policy that's already hurt hundreds of thousands of 
Americans through fewer jobs or reduced work hours, the 
administration cannot just rewrite the law on the fly. 
Moreover, because of the Rube Goldberg construction of 
Obamacare, the delay in the employer mandate and refusal to do 
proper applicant verification means that the Federal Government 
will waste billions of dollars next year subsidizing people's 
health insurance who are ineligible for coverage under the law.
    The IRS has recently become highly politicized under this 
Administration around the implementation of the ACA and the 
rights of people from all political perspectives to operate on 
a nonprofit and in a nonprofit organization. After the passage 
of the ACA, the IRS Commissioner Shulman visited the White 
House over 100 times in a 2-year period to discuss Obamacare 
implementation. Shulman's predecessor at IRS, Mark Everson, 
shared his concern at an Oversight Committee hearing last year 
about the problem with the IRS being so deeply involved with 
Obamacare and the serious threat this poses to the historic 
independence of the IRS.
    Sarah Hall Ingram has led IRS' implementation of the 
Affordable Care Act for 3 years. She was originally invited to 
testify at this hearing. However, because she may be also 
intricately connected to the IRS' targeting of conservative 
nonprofit groups, I have accepted Acting IRS Commissioner 
Werfel's offer to testify in her place. There are many 
questions and issues facing the IRS, but today's focus is on 
the data hub and on data sharing that is required because of 
the ACA. I welcome Commissioner Werfel's testimony today.
    Marilyn Tavenner, administrator for CMS, finally, after a 
very long process there as acting, is also here today to field 
questions related to the Federal data hub. Hopefully, she's 
prepared to address specific concerns about the possible cyber-
related attacks, as well as the recent AP story from last 
weekend that the uninsured could fall victim to fraud, identity 
theft, or other crimes at the hands of some of the very people 
who are supposed to help them enroll.
    I welcome the attendance of all of our witnesses today, and 
we'll spend time introducing everyone in the moments ahead.
    With that, I would like to recognize the ranking member of 
Oversight committee, Ms. Speier.
    Ms. Speier. Mr. Chairman, thank you, and I thank you and 
Chairman Meehan for calling today's important hearing, and I 
thank all of the witnesses for being here to participate.
    The Affordable Care Act extends health insurance coverage 
to tens of millions and uninsured and underinsured Americans to 
help them obtain necessary medical care. Already, millions of 
Americans have directly benefitted from the Affordable Care 
Act: 2.5 million young adults, my son being one of them, now 
have health insurance on their parent's plan. The parents of 
over 17.6 million children with pre-existing conditions no 
longer have to worry that their children will be denied 
coverage. More than 32.5 million seniors have already received 
one or more free preventative services, including the new 
annual wellness visit. Starting this October, millions more 
Americans will be able to easily compare and choose affordable 
private health insurance plans for the first time when health 
exchanges open in every State. Many low-income applicants will 
qualify for subsidies. Those shopping for insurance will no 
longer have to worry that they will be denied coverage because 
of a pre-existing condition or worry that one serious illness 
and hospital stay will exhaust their lifetime limits, leading 
them to financial bankruptcy.
    Some have speculated that Obamacare will not work or at 
least that the October deadline might not be met. A June 2013 
GAO report raised the issue of some missed deadlines but 
ultimately concluded that implementation was feasible and on 
track. This is a welcome news, and I look forward to hearing 
from the GAO today on how the process is proceeding. I also 
would like to know what impact sequestration has on the ability 
of those who are supposed to implement the Affordable Care Act 
are being frustrated.
    GAO also determined that CMS has developed contingency 
plans to be ready for unexpected development so the exchanges 
will be able to open on schedule in October. HHS has long 
experience with complicated health systems involving sensitive 
personal information, like Medicare, Medicaid and Medicare Part 
D. Getting the healthcare exchanges up and running is without a 
doubt a highly complex undertaking, made more complicated by 
the decisions of many States to have the Federal Government run 
their exchanges, and it is unlikely to be perfect out of the 
gate. But no major program has launched without a few hiccups.
    I am pleased there are concrete plans to mitigate any 
disruptions of the exchange system and to ensure the integrity 
of data hub communications between HHS, the IRS, DHS, and the 
Social Security Administration, States that other agencies 
involved in determining applicants' eligibility. At the same 
time, the scope of this new program requires that we ensure 
that it is carried out in a way that protects the privacy and 
security of those applying for insurance and prevents fraud by 
those seeking subsidies.
    The privacy of enrollee information is non-negotiable. 
Legitimate concerns have been raised about whether the security 
structure of the data hub that CMS has put into place will be 
sufficient when the exchange is launched in October. Today, I 
hope to learn from these witnesses the actual details of 
efforts to ensure security and privacy in the data hub. I am 
encouraged by Ms. Tavenner's written statement debunking the 
notion that in pursuit of access to care, we have to sacrifice 
privacy. Such statements must be backed by action and all 
parties to the transaction must have the same commitment. Mere 
promises are not enough, but we should also listen to the facts 
and not pre-judge the efforts of thousands of dedicated Federal 
and State employees working to make this law a reality.
    At the same time, I'm troubled by recent reports of the 
IRS' unintentional exposure of personal information submitted 
by organizations seeking tax exemption under section 527 of the 
IRC. I am pleased that the agency moved swiftly to correct the 
situation when it was detected. Such privacy breaches are 
unacceptable and should not happen at all.
    Lastly, Mr. Chairman, I am concerned by the efforts of some 
to sabotage the implementation of the Affordable Care Act by 
making sweeping allegations about the theoretical potential for 
fraud and other possible failings. I hope this hearing today is 
not an attempt to do that. The purpose of this committee, as 
you have pointed out in your opening statement, is to conduct 
oversight of programs like the Affordable Care Act, to ensure 
that it is carried out properly, and to uncover waste, fraud, 
and abuse.
    I look forward to additional hearings over the next several 
years once we see the program actually in operation. I also 
hope Congress will not deny the funding needed to ensure that 
the exchanges and the data hub can operate in a safe and secure 
manner. In fact, I hope to learn from our witnesses today how 
sequestration and budget cuts have impacted their ability to 
implement the law and protect enrollees' privacy.
    The Affordable Care Act is the law of the land. It has been 
upheld by the United States Supreme Court. Now, Congress' duty 
is to oversee its implementation, not to seek to delay it or 
cause it to fail in its mission.
    Today's hearing is a distinct opportunity to address 
legitimate concerns with those lead agencies charged with 
bringing the exchange system to fruition. I look forward to 
their testimony.
    Mr. Lankford. I now recognize the chairman of the Homeland 
Security Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies, Mr. Meehan.
    Mr. Meehan. I thank the gentleman, and I thank the members 
of both committees who have participated in today's hearing.
    I thank the witnesses for their presence today, and all the 
members of the Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies.
    This hearing comes at a critical time in implementing one 
of the key aspects of the President's healthcare law, the 
Federal data hub. It's not my intention to relitigate the 
Affordable Care Act at today's hearing but rather to provide 
crucial oversight over the government's establishment of the 
Federal data hub. As a result of the Affordable Care Act, the 
Department of Health and Human Services is building an enormous 
data-sharing network between State health insurance exchanges 
and numerous Federal agencies.
    The purpose of the data-sharing hub is for the government 
to determine whether Americans who enter the exchange are 
eligible to do so. As the chairman of the House Homeland 
Security Committee's Cybersecurity Subcommittee, we've looked 
extensively at the access to and management of personally 
identifiable information by the Federal Government. I don't 
need to explain to this committee or to our witnesses or to the 
American public from where our concerns emanate. We've 
witnessed all too recently how sensitive information can be 
mismanaged by the Federal Government. We have seen how cyber 
attacks from adversarial nations who seek to infiltrate our 
country's military and intelligence information have breached 
our most secure networks. We've watched--we have watched as 
thieves have stolen our top innovators' intellectual property. 
We have witnessed America's financial services institutions 
succumb to barrages of attacks by those who wish to do our 
nation and our very life harm.
    These are the institutions that have the best in the form 
of protections at this point in time. FBI Director Robert 
Mueller said that the cyber threat will be the number one 
threat to our country, a remarkable thing to be said. NSA 
Director Keith Alexander called a loss of intellectual property 
through cyber espionage the greatest transfer of wealth in 
history. And Former Secretary of Defense Leon Panetta said the 
cyber attacks could shift from espionage to destruction, the 
variability to get inside this network and to destroy the 
ability for it to communicate at all if it is not a secure 
system. And the Director of National Intelligence, James 
Clapper has said that potentially disruptive and even lethal 
technology continues to become easier to access and that we 
foresee a cyber environment in which emerging technologies are 
developed and implemented before security responses can be put 
in place. This is the best of our systems.
    I would like to see how this system is set up to protect 
against those kinds of threats. These are serious people that 
are talking about these issues. We've been charged with 
securing the most critical data in the world, and although no 
one could certainly make the argument that the personally 
identifiable information of millions of Americans is just as 
critical and critical to our Nation's data security.
    Javelin Strategy and Research felt that $12.6 million 
Americans are victims of identity theft each year. And a 
February 2000 study of the Center for Strategic and 
International Studies found that 85 percent of government and 
private sector network breaches took months to be discovered. 
Pricewaterhouse estimates that one-third of breaches come from 
employees. We are going to literally have thousands, 22,000 
estimated alone, navigators just in the State of California.
    With over 20 million Americans estimated to enter into the 
exchange over the next 5 years, this leads to the question, 
which I believe must be answered at today's hearings, Are you 
ready? Does CMS have the tools in place to secure the 
information for over 20 million Americans? Who and how many 
will have access to this information? How do we ensure 
competence in those who have access? I have grave concerns 
about the ability to establish sufficient security in this 
massive unprecedented network by October 1st--that's just 75 
days away--when our most secure networks are being breached 
every single day. Every sector, every agency, every industry 
concerned with security will tell you they are only as strong 
has the weakest link. I hope that our panel today can allay 
some of these concerns, but I fear that our government is about 
to embark in an overwhelming task that will at best carry an 
unfathomable price tag and at worse place targets on every 
American who enters the exchange.
    I look forward to hearing from you today, and I yield back 
my time.
    Mr. Lankford. Now recognize the chairman of the full 
committee for Oversight and Government Reform, Mr. Issa.
    Mr. Issa. Thank you, Mr. Chairman, and thank you for 
holding this important hearing. As my colleague from 
California, Ms. Speier, said, Obamacare is the law of the land. 
What she didn't say is sequestration is the law of the land, 
and both were signed by this President. So my expectation is 
that the President has to know that he has to live within the 
budget he signed; he has to live within the funding he signed, 
that the cost overruns that CBO now knows are in Obamacare--the 
``it's going to be balanced,'' to ``it's going to be nearly 
balanced,'' to ``it's going to be a trillion dollar train 
wreck'' is coming, but that's not the subject today.
    The subject today, quite frankly, is the privacy of the 
American people and the accuracy of the data, and waste, fraud, 
and abuse. I have less confidence in today's hearing for only 
one reason: A key witness, Sarah Hall Ingram, who has 3 years 
of full-time experience since the passage of the bill, in some 
inexplicable way finds herself unable to be here, while I'm 
uniquely offered her boss. And I appreciate the Commissioner 
being here, but that's unheard of.
    Time and time again this committee has asked for Cabinet 
officers, only to appropriately find somebody beneath that 
person who is able to answer our questions, so today we are 
going to have the top boss in his 65 days and probably his 55th 
appearance on Capitol Hill to answer questions. And I 
appreciate his presence, and I'm not trying to belittle the 
technical staff with him. But it goes to the root of this is a 
program so grand and so great that it pales Medicare in its 
shadow, it pales Medicaid in its shadow, and that's what we're 
dealing with.
    The data of every American potentially will be transferred 
or will be transferred. Now, let's understand that. It's not 
being transferred to one place. In the cyber world, you have to 
look at every end tentacle. Somebody at some station, somewhere 
in Chico, California, is going to have an outlet to the 
California exchange that is going to ultimately be connected to 
that data. So, although the IRS might be able to put the 
database in an acceptable system and transfer it, who are they 
transferring it to? Ms. Speier mentioned CMS. I think also the 
chairman mentioned it. CMS. Now, this committee has recent 
experience. CMS is the organization that sent $15.5 billion to 
the State of New York in compensation excess of Federal law. 
And then, when we approached them, they wanted to phase it out 
over time. Well, they were overpaying vast amounts of money to 
the State of New York, to New York institutions owned and 
operated by the State.
    That wasn't a long time ago. Mr. Chairman, that was this 
Congress. We still don't have that $15.5 billion, so when we 
talk about waste, fraud, and abuse and we talk about the 
disclosure of personal information, we are dealing where 
disclosures that occurred under the IRS' watch under this 
President. We are dealing with waste, fraud, and abuse 
estimated by the inspector general to be greater than the 
Army's budget. We lose more than the Army consumes in Medicare 
and Medicaid, so a program that's statutorily--and the 
gentlelady from California is right; the law is the law. The 
law says that we will not subsidize unless the State has an 
exchange. And yet, unilaterally, the President has proposed 
that State After State who chose not to be part of it are to 
have subsidies. So instead of having some States, we now will 
have all the States. Those who chose to do it, will be 
subsidized. Those who choose not to, out of thin air, without 
statutory approval, there will be a Federal exchange that will 
then be subsidized. Those are some of the things.
    Now, the gentlelady from California is a friend and a 
colleague, but we differ on some parts. She thinks that 
Obamacare has done a lot already. I think that it has already 
run up the cost of healthcare. And when the President 
determines, without statutory approval, that one portion will 
not be implemented for an extra year, that on employers, 
because, of course, it's not ready, and yet he thinks that an 
individual mandate and the standing up of exchanges and the 
forcing of every individual in America into a healthcare plan 
not yet defined, with a database not yet secure, is okay?
    I've got to tell them, I have doubts, not about if 
Obamacare will some day be ready, if all the bugs can be worked 
out, but with no pilot and no consistency of the legislation to 
the actual implementation, I've got to tell you, we are at 
least a year further out on not just the President's slowdown 
but on the entire program, and I think today we are going to 
see exactly that, that the plans are there but the pilot and 
test, and if you will, proof of concept being tested, with 
those thousands or hundreds of thousands of terminal access 
points that could be what the ranking--the chairman from 
Homeland Security said, that weak link needs to be tested. I 
look forward to hearing all of the testimony and particularly 
the questions as to the weakest link.
    And I yield back.
    Mr. Lankford. Thank you. All members will have 7 days to 
submit their opening statements for the record.
    We will now recognize our panel.
    Before I recognize each individual, I would like to ask 
unanimous consent that our colleague from Tennessee, Mrs. 
Black, be allowed to participate in today's hearing.
    Ms. Speier. Mr. Chairman, can I also request that the 
ranking member from the Committee on Homeland Security 
subcommittee, Ms. Yvette Clarke's statement be read--be added 
to the record as well.
    Mr. Lankford. Absolutely, without objection, on both of 
those.
    So ordered.
    Mr. Lankford. Mr. Alan Duncan is the assistant inspector 
general for security and information technology services, the 
Office Treasury Inspector General for Tax Administration.
    Mr. Terence Milholland is the chief information officer for 
the IRS.
    Thanks for being here.
    Mr. Danny Werfel is the principal deputy commissioner of 
the Internal Revenue Service.
    Mr. Werfel, how many hearings have you been in so far? The 
chairman had mentioned that.
    Mr. Werfel. I think this is my sixth since arriving here.
    Mr. Lankford. Only six. Okay. We have got to get you to the 
double digits faster.
    Mr. Werfel. I have another one right after this one.
    Mr. Lankford. Well, we will do our best on that.
    Ms. Speier. We would like to--we would like for you to run 
the IRS, though, too.
    Mr. Werfel. I am doing that, too.
    Mr. Lankford. Yeah. The Honorable Marilyn Tavenner is the 
administrator for the Centers of Medicare and Medicaid 
Services.
    Mr. Henry Chao is the deputy chief information officer and 
deputy director of the Office of Information Services in the 
Center for Medicare and Medicaid Services.
    Thanks for being here.
    Mr. John Dicken is the healthcare director for the U.S. 
Government Accountability Office.
    Thank you as well.
    Mr. Lankford. Pursuant to committee rules, all witnesses 
are sworn in before they testify.
    Will you please stand, raise your right hands?
    Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth and nothing 
but the truth, so help you God?
    Thank you. You may be seated.
    Let the record reflect that all witnesses have answered in 
the affirmative. In order to allow time for discussion, we 
would ask you to limit your testimony to 5 minutes. I think all 
of you have been here before, some more recently than others, 
obviously. There is a clock that's in front of you to give you 
a quite countdown. Your written statement is a part of the 
entire record, so we will give you 5 minutes of time here.
    And Mr. Duncan, I think you get to be the lead off hitter 
in this one.

                  STATEMENT OF ALAN R. DUNCAN

    Mr. Duncan. Thank you.
    Chairman Lankford, Chairman Meehan, Ranking Member Speier, 
Ranking Member Clarke, the members of the--and other members of 
the subcommittees, thank you for the opportunity to testify on 
the Treasury inspector general for tax administration's views 
and observations on the Internal Revenue Service's information 
technology support for the Affordable Care Act, how tax 
information will be provided and the safeguards needed to 
protect taxpayers' data.
    The Affordable Care Act contains an extensive array of tax 
law changes that present many challenges for the IRS. The ACA 
will require collaboration and coordination among many 
organizations. The IRS' role with respect to the ACA is to 
implement and administer the ACA provisions that impact tax 
administration
    This requires developing and implementing computer programs 
that support the State and Federal insurance exchanges and the 
collection of taxes, fees, and penalties that would help fund 
the ACA.
    The IRS' 2014 budget request includes $440 million for 
implementation of the ACA, the largest component of which is 
$306 million for the implementation of information technology 
systems and communications. The ACA health insurance enrollment 
starts in October 2013. The IRS will be receiving health 
insurance related information starting in 2014 from many 
sources, including individuals, employers, insurance companies, 
and the health exchanges.
    The information technology security challenges for the ACA 
are considerable and include implementation of interdependent 
projects in a very short span of time, evolving requirements, 
coordination with internal and external stakeholders, and cross 
agency system integration and testing. The IRS implementation 
plan for ACA exchange provisions include providing information 
on eligibility, calculating the maximum advanced premium tax 
credit and reconciling ACA tax credits with reportable income. 
These provisions require the development of new systems, 
modification of existing systems, new fraud detection systems, 
and the deployment of interagency communication portals.
    The ACA health insurance enrollment process starts when an 
applicant applies at the exchange. To provide support for 
enrollment, the IRS has developed the income and family size 
verification application that will provide exchanges with an 
applicant's tax information. Our audit of this application 
determined that the project was on schedule and the IRS was 
managing knowing information technology risk. However, we do 
have concerns that the Federal tax data provided to the 
exchanges may not be adequately protected in accordance with 
the IRS' safeguards program.
    To assist applicants in the exchanges with selection of the 
appropriate insurance premium, tax credits, the IRS also 
developed the advanced premium tax credit application that will 
inform an applicant of the maximum amount of advanced insurance 
premium that they would be eligible to apply for.
    In the 2015 tax filing season, the IRS will be responsible 
for reconciling the advanced premium tax credit taken with 
actual income and family size during the tax year, which could 
result in a refundable credit or additional tax liability. The 
IRS has developed a plan to prevent and detect fraud and abuse 
during tax return processing that includes ACA transactions. 
TIGTA does have concerns that the new fraud prevention systems 
and/or modifications to existing fraud-detection systems may 
not be operational in sufficient time to identify ACA-related 
fraud schemes. We believe the IRS needs to complete and embed 
predicted analytical ACA fraud models into the tax filing 
process prior to the start of the 2015 tax filing season.
    The HHS and IRS have jointly developed an interagency test 
plan for the upcoming health insurance enrollment. We are 
concerned that final integration testing for all the agency 
systems, communications, and the Federal and State exchanges 
may not be completed before the start of the enrollment period 
in 2013. The lack of adequate testing could result in 
significant delays and errors in accepting and processing ACA 
applications for health insurance coverage.
    Because of the extensive changes to numerous Tax Code 
provisions, concerns related to ACA systems and security and 
the need for interagency coordination, TIGTA plans to continue 
strategic oversight of evolving ACA implementations. Our plan 
requires audit investigative resources to evaluate IRS' role in 
ACA programs and the protection of taxpayer's data.
    Chairman Lankford, Chairman Meehan, members of the 
committees, thank you for the invitation to appear.
    Mr. Lankford. Thank you.
    [Prepared statement of Mr. Duncan follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Lankford. Mr. Werfel.

            STATEMENT OF THE HONORABLE DANIEL WERFEL

    Mr. Werfel. Chairman Lankford, Chairman Meehan, Ranking 
Member Speier and Clark and members of subcommittees, thank you 
for the opportunity to appear before you today to discuss the 
systems being developed to facilitate information sharing among 
the IRS, the Department of Health and Human Services and other 
Federal agencies as part of the Affordable Care Act.
    The IRS has been working to implementing a number of tax-
related provisions within the ACA. The most substantial of 
these provides for premium assistance tax credits to help 
millions of American families afford health insurance starting 
in 2014, when the new health insurance marketplace, also known 
as health insurance exchanges, will begin operating.
    To properly administer ACA provisions, such as the premium 
assistance tax credit, the IRS, HHS, and other Federal agencies 
will need to share individual's personal and financial 
information. For example, the marketplace will need Federal 
taxpayer data to help verify individuals' eligibility for the 
tax credits. Upon request, the IRS will provide income, family 
size, and filing status information from recent tax returns.
    Separately, the IRS will provide a support service to 
compute a maximum advanced premium credit based upon inputs 
from the marketplace. The ACA designates HHS as the conduit for 
information being shared with the marketplace. The taxpayer 
data supplied by the IRS will be transmitted over secure 
encrypted channels through the HHS data hub, which was 
developed to facilitate these data transfers. Our ability to 
share data with HHS is being brought about through new systems 
and services that our information technology division has been 
developing.
    We are on target to have these systems ready when open 
enrollment in the marketplace starts on October 1 of this year. 
Last month, we completed systems development and also finished 
interagency testing with HHS and the Centers for Medicare and 
Medicaid Services. Performance testing of these systems will 
continue through the summer.
    It is important to note that information sharing under the 
ACA will be done against the backdrop of very strong 
confidentiality protections that have been long part of the tax 
laws. In general, section 6103 of the Internal Revenue Code 
prohibits the IRS from sharing tax return data with anyone 
outside the agency. Over the years, however, Congress has 
created a series of narrow exceptions to the restrictions in 
section 6103.
    For example, the IRS is permitted to disclose tax return 
information to other Federal agencies and to State tax 
authorities to facilitate efficient tax administration. The ACA 
provides a specific exception to section 6103 for information 
sharing activities that the IRS will perform under the statute. 
The IRS is already well positioned to ensure the safety and 
security of the data being shared under the ACA, given the 
longstanding experience we have in overseeing the transmission 
of data to Federal and State agencies.
    The IRS office of safeguards has the responsibility for 
monitoring the nearly 300 Federal and State agencies that 
currently are permitted to receive tax return data to ensure 
they are complying with strict safeguarding requirements we 
impose on them.
    To prepare for data sharing under the ACA, the IRS has been 
collaborating with HHS and other agencies on the processes and 
written agreements needed to protect personal information, 
including tax return data. Among our collaborative efforts, the 
IRS and HHS have entered into a computer matching agreement or 
CMA, which details the operations of the data exchanges and 
various disclosure restrictions and other requirements.
    Just this week, the CMA was signed by both agencies and 
transmitted to the Treasury Data Integrity Board for approval. 
After approval by Treasury and HHS, it will be transmitted to 
Congress for the required notice period and be effective when 
open enrollment begins on October 1.
    The IRS is subjecting the health insurance marketplace and 
State agencies seeking tax return data under the ACA to 
significant data protection requirements. Before one of these 
entities can obtain tax return information, it must submit a 
Safeguard Procedures Report, or SPR to the IRS for its 
approval. This report details the steps that the entity has 
established or plans to take to protect the confidentiality of 
the tax records it will be handling.
    Taxpayer data will be withheld from entities that fail to 
establish adequate safeguards. The IRS will provide a list of 
entities with approved SPRs to HHS by October 1. Going forward, 
we will provide ongoing oversight to ensure that all entities 
involved in data sharing continue to meet the safeguarding 
requirements.
    Chairman Lankford, Chairman Meehan, and Ranking Member 
Speier and Clarke, that concludes my statement. I would be 
happy to take your questions.
    [Prepared statement of Mr. Werfel follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Lankford. Ms. Tavenner.

         STATEMENT OF THE HONORABLE MARILYN B. TAVENNER

    Ms. Tavenner. Good morning, Chairman Lankford
    Mr. Lankford. We need to get you button on there so we can 
all hear you.
    Ms. Tavenner. Thank you. Good morning. I would like to 
thank you for the opportunity to discuss the Center for 
Medicare and Medicaid Service's progress in implementing the IT 
systems in support of the new health insurance marketplace.
    Since the passage of the Affordable Care Act, CMS has been 
hard at work designing, building, and testing secure systems 
that ensure Americans are able to enroll in affordable health 
coverage. I want to assure you that October 1, 2013, the health 
insurance marketplace will be open for business. Consumers will 
be able to log onto healthcare.gov, fill out an application and 
find out what coverage and benefits they qualify for.
    I also want to assure you and all Americans that when they 
fill out their marketplace application, they can trust that the 
information they are providing is protected through the highest 
privacy standards, and the technology underlying this 
application process has been tested and is secure.
    I want to quickly walk you through what we're building, how 
it works and what data we are storing. I know there has been 
some confusion about the marketplace, its IT system and how 
data will be used. I want to make two points clear.
    First, while the marketplace application asks for some 
personal information, such as name, address, Social Security 
number, and date of birth, the marketplace application never 
asks for personal health information and the marketplace IT 
systems will never access or store personal health information 
beyond that which is routinely used when applying for Medicaid.
    Second, CMS prioritizes the privacy and security of 
applicant's data. CMS designed the marketplace IT system in a 
way to minimize all possible security vulnerability, and we 
especially focused on storing the minimum amount of personal 
data possible. With that clear, let's move to the first 
question people often ask. What is it that we are building?
    The Affordable Care Act directs States to establish State-
based marketplaces by January 1 of 2014. In States electing not 
to establish such a marketplace, the Affordable Care Act 
requires that the Federal Government establish and operate a 
marketplace in the State which is frequently referred to as the 
Federally Facilitated Marketplace. This marketplace will 
provide consumers access to healthcare coverage through private 
qualified health plans, and consumers seeking financial 
assistance may qualify for insurance affordability programs 
through the marketplace such as tax credits.
    In order to enroll in an insurance affordability program 
through the marketplace, individuals must complete an 
application and meet certain eligibility requirements. To 
fulfill these functions, Federally Facilitated and State-based 
marketplaces are developing eligibility, redetermination and 
appeals IT systems. These IT systems are similar to what 
private issuers, Medicare Advantage issuers, and State Medicaid 
agencies currently use to carry out the same functions. Because 
these IT systems that perform the basic functions of the 
marketplace, CMS is developing a tool, which is known as the 
Federal Data Services Hub, which provides the electronic 
connection between the eligibility systems of the marketplace 
to already existing secure Federal and State databases to 
verify that information is correct, and that consumer provides 
in the marketplace application.
    It is important to understand that the hub is not a 
database. It does not retain or store information. It is a 
routing tool that can validate applicant information from 
various trusted government databases through secure networks. 
It allows the marketplace, Medicaid and CHIP systems to query 
government databases used today. The hub will only query the 
databases necessary to determine eligibility for specific 
applicants. The hub increases by efficiency and security by 
eliminating the need for each marketplace, each Medicaid agency 
and each CHIP agency to set up separate data connections to 
each database. We know that vulnerability increases when the 
number of connections to a database increase. That's why we 
created the hub. The hub provides one highly secured connection 
to trusted Federal and State partners' databases used today 
instead of requiring each agency to set up what would have 
amounted to hundreds of different connections.
    We have completed development in the majority of the 
testing of the hub services. All testing for the hub will be 
completed by the end of August. And with that, I'll conclude 
and be happy to answer any questions.
    Mr. Lankford. Thank you.
    [Prepared statement of Ms. Tavenner follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Lankford. Mr. Dicken.

                    STATEMENT OF JOHN DICKEN

    Mr. Dicken. Good morning, Mr. Chairman, ranking members and 
members of subcommittees, I am pleased to be here today to 
discuss issues with data systems that will be a critical 
component of the new health insurance exchanges. As you have 
heard this morning, starting in October, health insurance 
exchange in each State will provide new marketplaces where 
eligible individuals can compare and select health plans.
    To support the exchange's efforts to determine applicant's 
eligibility to enroll, CMS is building a tool called the 
Federal Data Services Hub. This data hub is intended to provide 
one electronic connection to Federal sources for near realtime 
date access to data, as well as to provide access to State and 
other data sources needed to verify consumers' application 
information. Several million Americans are expected to enroll 
in qualified health plans offered through the exchanges, once 
coverage begins in 2014.
    My comments today highlight key findings from a report that 
GAO issued last month on the status of CMS' efforts to 
establish Federally Facilitated Exchanges in 34 States and to 
establish the data hub to support exchanges in all States. 
These findings are based in large part on our review of 
planning documents that CMS used to track Federal and State 
activities, including the development and implementation of the 
data hub, as well as interviews with CMS officials.
    In brief, CMS has completed many activities necessary to 
establish Federally Facilitated Exchanges by October 1st, 
although many activities remain to be completed and some were 
behind schedule. As examples of progress made, CMS has issued 
numerous regulations and guidance and taken steps to establish 
processes and data systems necessary to operate the exchanges. 
But the exchange's ability to effectively carry out eligibility 
determination and enrollment activities on October 1st will be 
dependent on CMS' successful implementation of the data hub. 
CMS is expected to complete development and testing of the 
information secure technology systems necessary for the data 
hub by October 1st, as Administrator Tavenner just indicated. 
CMS began both internal and external testing for the data hub 
in October of last year as planned.
    According to program officials and our review of project 
schedules, CMS established milestones that aimed to complete 
the development of required data hub functionality by this 
month and for full implementation and operational readiness by 
September. Additionally, CMS has begun to establish the 
required technical security and data-sharing agreements with 
federal partner agencies and States.
    While CMS data does, thus far, met project schedules and 
milestones for establishing agreements and developing the data 
hub, at the time of our report, several critical tasks remained 
to be completed before the October 1st implementation. These 
included finalizing service level agreements between CMS, the 
States and Federal partner agencies in completing external 
testing with all Federal partner agencies in all States.
    In conclusion, Federally Facilitated Exchanges in the 
federal data services hub are central to the goals under the 
Patient Protection and Affordable Care Act of having health 
insurance exchanges operating in each State by 2014 and of 
providing a single point of access to the health insurance 
market for individuals. Their development has been a complex 
undertaking involving the coordinated actions of multiple 
Federal, State and private stakeholders. It has also required 
the creation of an information system to support connectivity 
and near realtime data sharing between exchanges and multiple 
Federal and State agencies.
    Much progress has been made; nevertheless, much remains to 
be accomplished within a relatively short amount of time. CMS' 
time lines provide a roadmap to completion of the required 
activities by the start of enrollment on October 1st. However, 
the large number of activities remaining to performed, some 
close to the start of enrollment, suggests a potential for 
challenges going forward. And while the interim deadlines 
missed thus far may not affect implementation, additional 
missed deadlines closer to the start of enrollment could do so.
    At the time of our report, CMS had recently completed risk 
assessments and plans for mitigating identified risks 
associated with the data hub and was also working on strategies 
in each State to address State preparedness contingencies. 
Whether this contingency planning will assure the timely and 
smooth implementation of exchanges by October 2013 cannot yet 
be determined.
    Mr. Chairman and ranking minority members, this concludes 
my statement, and I'll be pleased to answer any questions that 
you or other members of the subcommittee may have.
    Mr. Lankford. Thank you.
    [Prepared statement of Mr. Dicken follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Lankford. And thank you, all of you, for your 
testimony.
    Can anyone state to me the section of the ACA that outlines 
the data hub? So, this massive undertaking started from what 
within the law? Because it is a massive piece, obviously. I'm 
just trying to figure out what part of the law mandates that 
this data hub be created, that this is the particular vehicle 
to solve the problem?
    Mr. Milholland. Mr. Chairman, I will take a cut at that. 
It's the requirement to exchange information between agencies. 
We had to find a way that would easily work to connect to the 
IRS and particularly HHS and then subsequently to the 
exchanges, also to other government agencies. When we did the 
architecture and design in collaboration with HHS and the other 
partners, we realized that the simplest design, the one that 
would make it more likely that we would implement on time, was 
a hub concept.
    Mr. Lankford. So you're saying that there's a statement 
within the law that requires communication between the 
agencies. Is this also requiring communication to the exchanges 
as well?
    Mr. Milholland. I will let HHS answer that specifically, 
but I believe the answer is yes.
    Mr. Lankford. Okay. Does anyone know on the section of law 
where this comes from?
    Mr. Chao. I don't--I don't believe it's in any section of 
the law. I think, you know, as Terry said, we've been working 
together on the most efficient implementation of the 
requirement that is in the law for information sharing between 
Federal agencies that are used to verify data on applications 
of people who are applying for----
    Mr. Lankford. Okay. So there is a section that requires 
communication verification on it. How much does--does anyone 
know the total cost of the hub at this point? I mean, we've got 
two contractors that are working on it. Every agency has now 
started engaging. We have all these agreements for computer 
matching. Every State is also engaging in it, so we've got a 
line that's in the law, someone says we need to verify, how 
much has this cost.
    Mr. Chao. I think that there are several line items within 
the hub, but the total picture, as GAO reported, is about $394 
million that CMS has budgeted and obligated for the various 
contracts to build the capabilities for the marketplace.
    Mr. Lankford. Okay. And then we've got several different 
pieces here. We have the data hub, obviously connecting all the 
agencies there where you're saying information is not stored at 
the data hub.
    Mr. Dicken referred to it's almost done in realtime, I 
believe, was the statement that was made there. Is it really 
realtime that's done or are we batching all these reports?
    Mr. Chao. The vast majority of the design is for realtime 
responses and realtime requests to get the data.
    Mr. Lankford. So, exchange hits the hub, makes the query, 
comes back seconds later, or does it come back hours later? 
That's what I'm trying to figure out on it, the batch schedule 
here.
    Mr. Chao. The service levels agreement, for example, with 
IRS is between 5 and 8 seconds
    Mr. Lankford. Okay. That's terrific. What about the caching 
of information. So when the request is made, how long is the 
cache to be able to hold on to that information as it's going 
through the process?
    Mr. Chao. The ``caching,'' and I put quotes around that, is 
kind of loosely used. When an individual is applying for the 
marketplace and they begin to enroll or request enrollment via 
the online application, they can pause and save that 
application into what we call a ``My Account,'' and that's on 
the marketplace system side.
    Mr. Lankford. Okay. So, that is stored information. So, in 
the data hub, you're saying, the caching is the best way to do 
it is over here, so how long is the cache in the data hub 
section of it?
    Mr. Chao. It is a consumer--when it comes to the 
application and their data, it is a consumer-elected, quote-
unquote, ``caching'' of information saved in their ``My 
Account.'' In the hub, the time to live is very short. If there 
is no question and response match, that data is then removed.
    Mr. Lankford. So you're talking 10 minutes, 20 minutes, an 
hour, somewhere through there?
    Mr. Chao. Within minutes.
    Mr. Lankford. Okay. All right. Then let's go on the other--
on the consumer side, where you're saying--talking about ``My 
Account'' because that is where stored data is located. Give me 
examples of some of the fields.
    Ms. Tavenner, you mentioned a couple of those, Social 
Security, birthdays and such. What are some of the other fields 
that are there?
    Mr. Chao. Names of household members, address, the 
requirement to supply valid Social Security numbers.
    Mr. Lankford. Ethnicity, is that included as well?
    Mr. Chao. I believe there are race and ethnicity----
    Mr. Lankford. Okay. So, home address. Is there a phone 
number that's included in that?
    Mr. Chao. Yes.
    Mr. Lankford. Email address?
    Mr. Chao. Yes, contact information.
    Mr. Lankford. All of the--does it have the questions about 
employer-sponsored coverage, is that included in that part as 
well?
    Mr. Chao. Yes.
    Mr. Lankford. Just questions about some of the background 
on it. Veteran status?
    Mr. Chao. Yes.
    Mr. Lankford. So, family members, you mentioned that. Does 
it just list out family members or list out the details of the 
family members?
    Mr. Chao. It--I think when we examined verification and 
determination of eligibility for premium tax credits with--in 
conjunction with IRS and also examined Medicaid and CHIP 
eligibility, there are some information that's used for 
different programs.
    Mr. Lankford. Okay. Let me run through several here. Indian 
tribe?
    Mr. Chao. Yes.
    Mr. Lankford. Tribal member is listed there.
    Mr. Chao. Yes.
    Mr. Lankford. Pregnant, would that be a question that would 
be asked or----
    Mr. Chao. It depends on a series of what we call a pattern 
of answers that would indicate that that might be a question 
associated with----
    Mr. Lankford. Obviously, ``female'' would be one of those, 
I would assume, in that pattern?
    Mr. Chao. I would think so, but it could be a household 
member that is not the applicant, but that's mostly used for--
--
    Mr. Lankford. But that is a possibility that's in there. 
Applicant income, request of that?
    Mr. Chao. Yes.
    Mr. Lankford. Disabled, would that be listed as part of it?
    Mr. Chao. Disability, no.
    Mr. Lankford. Okay. All right. So that this information is 
gathered and it's stored how long?
    Mr. Chao. For--once the enrollment is established, you 
know, via the ``My Account.''
    Mr. Lankford. So the ``My Account'' is set up, that 
information stored in that section, stored how long?
    Mr. Chao. It is stored for as long as the person is seeking 
access to affordable care and wants to enroll via the 
marketplace.
    Mr. Lankford. Okay. We'll have a lot of questions for you. 
I want to be able to honor everyone's time in the day on this, 
but I want to just set some basic parameters of what we're 
talking about, because we are really talking about two 
different systems. Data hub may not store anything, but we do 
have a data system that is storing large amounts of information 
as well, and so we'll have to be clear as we walk through it 
and try to make sure that we're using correct terms as we walk 
through it; is that okay?
    Okay. Ms. Speier.
    Ms. Speier. Mr. Chairman, thank you.
    And thank you again to all the witnesses.
    Three issues, privacy, security, fraud, that's what we're 
focussing on today.
    Let me start with Mr. Werfel and ask you a question about 
privacy.
    Given the number of different agencies involved, what 
measures has the IRS implemented to guarantee that sensitive 
taxpayer information is protected when it enters the data hub?
    Mr. Werfel. Thank you for the question. We, as I mentioned 
in my opening statement, we have a longstanding process because 
the Tax Code has previously allowed for, in certain situations, 
the IRS to share taxpayer information to Federal and State 
agencies, so over time, we built a very robust process that 
we're leveraging for the manner in which we'll share 
information under the ACA, which created a new exception under 
the Tax Code.
    That process is anchored around what we call a safeguard 
procedures report, and essentially, if you are to receive 
taxpayer information from the IRS, then you have to have an 
approved safeguard procedures report in place that IRS--and 
it's a very robust set of requirements. IRS reviews and 
approves that procedures report, or SPR, and then we monitor 
and do like on-site visiting to make sure that they are 
complying with those procedures that they outline. They deal 
with things like recordkeeping, restricted access, employee 
awareness about the sensitivity of the information, internal 
inspections to make sure that the procedures that are in place 
are robust, disposal of records when they are no longer needed, 
making sure that only those records that are needed--that are 
used are needed.
    So, it's a--you know, we have, as an example, just to give 
you a sense of how robust it is, just a template for what a 
State agency or Federal agency or the hub, in this case would, 
need to fill out is 61 pages, and that's just a template of 
what's required.
    So, really, we have a very robust set of requirements that 
are well battle tested over the years. We go through a robust 
process to review it and then we do on-site monitoring to make 
sure that the agency involved, whether it's the hub or a State 
agency or another Federal agency are making good on their 
commitments.
    Ms. Speier. Is there any penalty if they somehow have it 
breached?
    Mr. Werfel. Well, there are ongoing reviews that are done 
by the inspector general as an example. There can be severe 
penalties for willful breaches. What the inspector general, I 
can let Mr. Duncan speak to that, usually do is determine 
whether the breach was inadvertent or willful, and if it's 
inadvertent, then they would issue some type of report that 
would establish new sets of requirements that we may need to do 
to make sure that such inadvertent disclosures don't occur 
again. If it's willful, they may refer to the Justice 
Department for potential prosecution. It just depends on the 
circumstances.
    Ms. Speier. Okay. Now, I'm going to jump first to fraud and 
then come back to security because in my mind, security is the 
issue here. In terms of fraud, the chairman had referenced that 
there is, in effect, an honor system in place, and while that 
may be the case, because you're self-attesting it to, it's an 
honor system with consequences, is it not? If, in fact, you say 
you make $40,000 a year and are eligible for a premium credit, 
when it comes tax time the following year, if you really made 
$150,000, that subsidy has to be returned to the coffers of the 
U.S. taxpayers; is that not true?
    Mr. Werfel. Generally. If I could have a second to explain.
    So a couple of important things about the fraud and error 
risk associated with the ACA.
    First, what's happening when the individual enters the 
marketplace and seeks a premium tax credit, the system is set 
up so that any funds that they may be eligible or not eligible 
for because they're trying to defraud the system don't go to 
the individual. They go to the insurer.
    So the individual can try to penetrate the system and gain 
money, but they're not going to get money. The money is going 
to be sent to the insurers.
    Ms. Speier. They're going to get health care.
    Mr. Werfel. They're going to get health care. And they 
might get more affordable health care than they're otherwise 
eligible for.
    And at the back end, when they're reconciling, it may be 
that they were eligible for too much when we see what their 
actual income is when they file their taxes, and then they'll 
owe potentially some more money.
    It may be that we didn't determine that they were eligible 
for enough. But what that will mean in that case is they have 
been paying into this process, to the exchange, too much money 
than they should have, so we're only reimbursing them the cash 
that they've already paid in.
    Now, there is----
    Ms. Speier. I'm running out of time, and I want to get--
thank you--to the more critical issue.
    I believe that the hub has a bull's eye on it and that the 
potential for it being hacked is great. And while there's been 
testing that has been undertaken, does ``testing'' mean that 
we've allowed, you know, high school computer science whizzes 
to try and hack into the system?
    Mr. Chao. No, Congresswoman. The testing involves security 
professionals with predefined security protocols that are 
embedded and automated procedures that, for example, to try to 
penetrate the system and to emulate a potential hacker, as well 
as it scans for poor quality of code development with big holes 
in it so that people can actually infiltrate the system.
    And it also includes examining audit procedures and the 
ability to log access to the system and provide the 
traceabilities that auditors need in order to see who has been 
accessing what data with the right--with the correct roles and 
permissions.
    Ms. Speier. My time has expired.
    Thank you, Mr. Chairman.
    Mr. Lankford. Mr. Meehan?
    Mr. Meehan. Thank you, Mr. Chairman.
    And I want to jump off of what the gentlelady from 
California said about this being--looking at it from the 
security perspective, and also to talk about it from the 
perspective of what the chairman said.
    And this is not a partisan effort to try to go put you on 
the spot. And I also appreciate that you are the people who 
have been trying to implement this.
    But I also have grave, grave concerns about the scope of 
information that is being put together by this system that you 
put together because, you know, it was required just to make it 
work. And I've been struck by the observations of numbers of 
people who are outside the organization, as well.
    So I know you, Ms. Tavenner, have discussed that you are 
trying to take the minimal amount of information that is 
necessary. But what is necessary to make the system work has 
been discussed by Stephen Parente of University of Minnesota, 
who studied perhaps the largest consolidation of personal data 
in the history of the Republic. Do you dispute that?
    Ms. Tavenner. One thing I would remind the committee is 
that, currently, we are used to storing and having personal 
information on large numbers of individuals, such as in the 
Medicare program, in the Part D program. We take it very 
seriously, and we go through the highest security and privacy 
protections.
    Mr. Meehan. I know you take it seriously. The question is 
whether you're prepared to have this information protected 
against the kind of and scope of probes that are taking place 
in the real world today.
    I'm going to read some observations from some people who, 
you know--``This national insurance exchange system will be the 
largest IT system ever created in our history, and they're not 
sure how it will work, and they cannot assure the security of 
this very private data. They are extensive government data-
sharing systems that lack information security and offer easy 
access to hackers, identity thieves, and others interested in 
surreptitiously gaining access to private information.'' This 
was Twila Brase from the Citizens' Council for Health Freedom.
    ``Nothing like this has ever been done to this complexity 
or scale and with a timeline that puts it behind schedule 
almost before the ink was dry.'' This was Rick Howard, who has 
an advisory firm, the Gartner firm.
    This is Jim Spatz, a senior advisor at Manatt Health 
Solutions: ``As crunch time is coming, they're just muddling 
through and figuring out shortcuts. It might not be elegant, 
but this is how they're trying to make the law work.''
    These are the observations of some of the people who are 
outside the system observing it. Are they accurate?
    Mr. Chao. Congressman, I would refute that to say ``no,'' 
because CMS has vast experience--for example, there are nearly 
50 million Medicare beneficiaries, and we have databases and 
systems that operate in an architectural and technical pattern 
very similar to what the marketplace requires, including, you 
know, application for enrollment, processing eligibility 
verifications, checking various sources of data, allowing for 
people to come back in to report life-changing circumstances, 
working with SSA to remove them when we receive a date-of-death 
notice.
    I think all these operations at a very, very super-scale 
level in health care, CMS has applied this experience to the 
marketplace program.
    Mr. Meehan. Would you--I understand what you're trying to 
do at CMS. Are you aware of what's going on today, Quantum Data 
2, the testing thing that's being done right now on Wall Street 
today by the major New York banks?
    Mr. Chao. No, I'm not.
    Mr. Meehan. Do you think that your system is more or less 
secure than that that is being put together by the best banks 
in the United States?
    Mr. Chao. I really can't speak to that because I'm not 
aware of what they're doing.
    Mr. Meehan. Well, they're walking through, as we speak, 
with regard to the ability to--that their recognition that they 
are, in effect, being so remarkably challenged by the ability 
of complex networks, be they criminal, be they state-oriented, 
be they otherwise, to get into information systems that they 
have responsibility over.
    And I'm not sure that I'm aware of any system that has more 
personally identifying information than your system currently. 
And the question is the degree to which we're capable of being 
able to protect those systems.
    My time has expired, but I'm looking forward to following 
up specifically on some of the questions with regard to that.
    Ms. Tavenner, do you have a comment?
    Ms. Tavenner. The comment I would make is that there 
certainly is a lot of speculation out there about what's going 
on inside CMS. And what I know is that the process that we are 
following, we are used to working--we have lots of experience 
with working with big data sets.
    And we are following, going back to the Privacy Act of 
1974, moving forward, to make sure that we have the highest 
degree of security and privacy protection. And we are on 
schedule to get that done----
    Mr. Meehan. Do you know, what is the highest degree of 
security protection? Do you know, yourself, what that is?
    Ms. Tavenner. So I know, working with the team, that we 
start with certain standards that are required by the 
government, and we follow those standards completely and 
thoroughly. And then we have a continuous monitoring process, 
we have a continuous training process----
    Mr. Meehan. Ms. Tavenner, let me ask a question. When was 
the last time that you have sat in on a secure briefing by the 
FBI or the Department of Homeland Security giving you the 
current state of the cyber threat to data systems in the United 
States?
    Ms. Tavenner. I don't know that I've sat in on an FBI 
briefing. We certainly have briefings inside HHS, and I did 
sit----
    Mr. Meehan. But no, no, no. I asked you a specific 
question. The two agencies that have the specific 
responsibility to understand the scope and nature of the 
threat--are you telling me that you are the person who is 
responsible for putting together what may be the biggest data 
system of private information in the history of the United 
States, according to testimony of numbers of people, and you 
have never been to a secure briefing by the FBI or Homeland 
Security about the current nature of the threat to data 
systems?
    Ms. Tavenner. And I am telling you that I have been to a 
secure briefing.
    Mr. Meehan. With whom? By HHS or FBI?
    Ms. Tavenner. With HHS.
    Mr. Meehan. Well, but that is not Homeland Security, is it?
    Ms. Tavenner. No, sir.
    Mr. Meehan. No, it is not, nor is it the FBI, who are the 
two responsible for understanding the nature of the threat.
    I will pursue my questioning. Thank you, Mr. Chairman.
    Mr. Lankford. Ms. Clarke?
    Ms. Clarke. Let me thank you, Chairman Lankford, Chairman 
Meehan, and thank Ranking Member Jackie Speier for submitting 
my testimony to the record.
    And thank you, witnesses, for your testimony here this 
morning.
    My first question will go to Mr. John Dicken.
    Your report on the development of the Affordable Care Act 
data hub is the first of its kind for these healthcare 
programs, which means we are still learning about how to go 
about assessing the progress of the effort. You noted that 15 
of the 34 States where Federal health officials are running the 
exchanges will play some role in their operation, and this is a 
good sign.
    With about 7 million citizens expected to enroll in 
healthcare plans, would you tell us first about the key 
milestones that have been met and the plateaus that have been 
reached in such a massive undertaking?
    Mr. Dicken. Thank you, Ranking Member Clarke.
    You are right that our report did look at two of the key 
milestones that have been met. We issued our report last month 
and highlighted some of the progress that has been made--
notably, issuing key regulations and guidance that are 
necessary for establishing the exchanges and the data hub; 
establishing, building, and developing and implementing some of 
the data systems that are necessary; and beginning some of the 
process for testing that is still ongoing.
    Since our report came out last month, there have been some 
other public milestones that have been met. I know that CMS has 
relaunched the healthcare.gov website.
    There are still a number of big challenges remaining, 
though. Our report does highlight that there are still a number 
of key milestones that do need to be met before October 1st and 
the open enrollment.
    Ms. Clarke. I would like to also hear from agency staff 
present about what milestones they feel have been reached and 
how they see their progress.
    Mr. Chao. For CMS, we manage and administer the majority of 
the testing with the key business partners, which are the 
issuers or insurance companies that offer qualified health 
plans in the marketplace. We began testing with them in June 
extensively and stepping into greater and greater iterations of 
more complex testing that involved enrollment that are 
orchestrated with the issuers and their ability to receive an 
enrollment transaction and an acknowledgment and, finally, into 
a payment and a payment acknowledgment.
    The States we have been testing extensively since February, 
so those have been major milestones. Starting this week, we 
have conducted the testing in waves, and States have been 
coming in in various waves. You know, one through four is what 
we categorize it, with four being the vast majority of the more 
complex testing with the hub primarily and the ability to 
receive information when a federally facilitated marketplace is 
detecting the potential for Medicaid and CHIP eligibility.
    That testing in the fourth wave began this week, and we 
have 40 States participating. And when the 40 States are 
testing with us, we will have all the States that have done 
some level of testing with us, with the 40 probably being the 
vast majority between now and August.
    Ms. Clarke. Does anyone have anything else to add?
    Mr. Werfel. I would just add to that from the IRS 
perspective. We also, similarly to HHS, are on schedule. We 
have a variety of information technology builds and upgrades 
that are necessary to meet the information-sharing requirements 
within the ACA, and that we're generally on target with respect 
to all of those milestones. And we have a very high degree of 
confidence of readiness when October 1 hits and the open season 
enrollment begins.
    Ms. Clarke. Well, that sounds good.
    Let me go on and ask, can you update us on the Federal Data 
Services Hub testing activities, including the list of tests, 
which agency and stakeholder tested the data hub in each event, 
the results of each test, and when the testing will be 
complete?
    Mr. Chao. We certainly can do that. I can generally run 
through right now in just a few minutes. But I think, working 
with GAO and other folks that want to come in and take a deep 
look at the range and depth of our testing by testing partner, 
we can certainly provide that information. It is available.
    The testing that will occur in the next 70-plus days or so 
is largely looking at what was mentioned earlier as integration 
testing. Some folks like to use the term ``end-to-end 
testing,'' as if there is just this one giant thread from start 
to finish of all these complex processes that have to, in 
essence, have a handshake to move this data and respond to data 
in order to fulfill the request for enrollment.
    We are taking segments of that or hops of that process and 
testing the integration, for example, between IRS and the data 
hub, the data hub with the marketplace systems, and the 
marketplace systems with the issuers.
    So that's just a very, very high-level example of how we 
break down that integration testing into those hops and to look 
at the interfaces and the data flows that are necessary to 
support that business process.
    Ms. Clarke. Thank you. And if you could submit to the 
committee just a little detailed testing arrangements, that 
would be something that we'd like to have.
    Mr. Chao. We can certainly do that.
    Ms. Clarke. Thank you.
    Mr. Chairman, I will yield back.
    Mr. Lankford. Thank you.
    I recognize the chairman of the full Committee on 
Oversight, Mr. Issa.
    Oh, he's not here right now. He had to slip out.
    Mr. Jordan?
    Mr. Jordan. I thank the chairman.
    Mr. Werfel, we've been given two titles for this 
individual. We've been given the title Project Manager for the 
Affordable Care Act and Director of the IRS's Affordable Care 
Act Office. Who is that individual?
    Mr. Werfel. I'm sorry, can you repeat the two titles?
    Mr. Jordan. Project Manager for the Affordable Care Act and 
Director of the IRS's ACA Office. Isn't it true that that 
individual is----
    Mr. Werfel. Yeah, I mean, I'm just--you know, we have title 
changes, but I think you're referring to Sarah Hall Ingram.
    Mr. Jordan. All right. And how long has Ms. Ingram worked 
at the Internal Revenue Service?
    Mr. Werfel. I don't know the answer to that.
    Mr. Jordan. Our records show that she has worked there 
since 1982, 30 years. And prior to taking over the ACA Office, 
what was Ms. Ingram's title?
    Mr. Werfel. Commissioner for the Tax-Exempt Government 
Entities organization.
    Mr. Jordan. And this is the very organization where the 
targeting of conservative groups took place; isn't that 
correct?
    Mr. Werfel. It is the organization that was the subject of 
the IG report that I think you're referring to.
    Mr. Jordan. Yes. And this is also--Ms. Ingram was also Lois 
Lerner's boss; isn't that correct?
    Mr. Werfel. I believe for a period of time, yes.
    Mr. Jordan. When the targeting took place, for 2 of the 3 
years that the targeting took place, according to our records.
    And isn't it true that Ms. Ingram was invited to be a 
witness at today's hearing?
    Mr. Werfel. That is true, yes.
    Mr. Jordan. And isn't it true that you called Mr. Lankford 
and asked that she not come and that you come instead?
    Mr. Werfel. What I told Mr. Lankford was, based on the 
topic of this hearing, which deals with data, data integrity, 
and privacy, that I felt that Mr. Milholland was a better 
technical expert because he's our Chief Technology Officer, and 
Ms. Hall Ingram does not deal as directly in the issues of data 
safeguarding.
    Mr. Jordan. Is Ms. Hall Ingram in Washington today?
    Mr. Werfel. Yes, she is.
    Mr. Jordan. So there's no family responsibilities, no 
health concerns, no other reason why she couldn't be here 
today?
    Mr. Werfel. I don't know about any of those situations 
personally, no.
    Mr. Jordan. But, to best of your knowledge, she's working, 
she's a few blocks away today, right?
    Mr. Werfel. Yes, she's at the IRS.
    Mr. Jordan. Okay. And I know you've testified five times in 
front of various--or six times, I think you said, in front of 
various committees. But how long, again, have you been at the 
IRS?
    Mr. Werfel. Roughly a month and a half.
    Mr. Jordan. Okay.
    Mr. Werfel. Coming up on 2 months.
    Mr. Jordan. All right.
    We want to put on the screen here a couple slides, if we 
could. And just so you--this was a presentation given to the 
IRS Oversight Board May 2nd of this year.
    And then I want to go to page 5, because this relates 
directly to most of your opening statement, Mr. Werfel, where 
you talked extensively about 6103. But I want to read--it may 
be a little difficult. I'll read the second bullet point.
    ``The ACA added Section 6103(i)(21) to authorize the IRS to 
disclose Federal taxpayer information to exchanges, Medicaid, 
and CHIP agencies and their contractors to support income 
verification for ACA needs-based eligibility determinations.''
    6103 info is pretty important information; isn't that 
correct, Mr. Werfel?
    Mr. Werfel. Absolutely.
    Mr. Jordan. Almost viewed as sacred, correct?
    Mr. Werfel. Within the IRS, for sure.
    Mr. Jordan. Yeah. In fact, you've used that, you've used 
6103 as a reason not to answer some of my questions I've asked 
you in some of those previous appearances you've had in front 
of this committee. And most of your testimony dealt with it. In 
fact, there's a story in yesterday's Washington Examiner where 
this was breached and a political figure had personal 
information, donor information, that went public, according to 
the Inspector General. So this is important stuff.
    Do you know who happened to--do you know who gave this 
briefing to your Oversight Board on May 2nd, 2013, Mr. Werfel?
    Mr. Werfel. I don't know, but I'm assuming you're going to 
tell me.
    Mr. Jordan. Yeah, we are. Who do you think it is? Can you 
hazard a guess?
    Mr. Werfel. If you would allow me, I mean, I think we can 
get to some of the points you're tying to raise. I'm not going 
to dispute that Ms. Hall Ingram is not integrally involved in 
our ACA work. What I'm----
    Mr. Jordan. No, no, no, wait, wait. What you just said a 
few minutes ago, maybe a minute and a half ago, was you were 
the person best equipped to answer our questions, even though 
the chairman invited Ms. Hall Ingram. And yet Ms. Hall Ingram 
is the very person who gave this briefing talking about 6103 
information, which you highlighted in your testimony as being 
so darn important.
    So the very lady who is doing the oversight briefing to the 
Oversight Board who we wanted to have come talk about this 
information, making sure taxpayer information was confidential, 
gave that briefing, you called up Chairman Lankford and said, 
``No, no, I don't want her to come. I'll come instead.''
    Mr. Werfel. Can I respond?
    Mr. Jordan. And you've been here all of 63 days. She's been 
here 31 years, since 1982. In fact, she's the central figure in 
two of the biggest stories in the country, the IRS targeting 
and the implementation of Obamacare. And these two gentlemen 
asked her to come, and you called up and said, nope, we don't 
want the lady who briefed the Oversight Board, we don't want 
her to come; I'll come instead and use my 63 days of expertise, 
versus her 32 years, 31 years of expertise.
    Ms. Speier. Mr. Chairman, with all due respect, Mr. Werfel 
has presented himself very, very competently in every area 
and----
    Mr. Jordan. Mr. Chairman, did I yield the time? I don't 
think I yielded her time.
    Mr. Lankford. Yeah, the gentleman did not yield on it. I 
want the gentleman to be able to retain the time----
    Mr. Werfel. May I respond?
    Mr. Lankford. --and for Mr. Werfel----
    Mr. Jordan. Yeah, you can respond. I hope you will respond.
    Mr. Werfel. I will respond.
    Mr. Lankford. And, Mr. Werfel, absolutely, we'll give you 
the time to be able to respond.
    Mr. Werfel. I appreciate that.
    First of all, Congressman, I don't agree with your 
characterization of the nature of my phone call with Mr. 
Lankford and the reason why I and Mr. Milholland are sitting 
here today.
    What I feel is appropriate and what I think IRS 
historically feels is appropriate is, when there's a hearing, 
we balance a lot of different factors in figuring out who the 
best witness is to present the information to Congress. Two of 
those factors are accountability--and I'm the most senior 
accountable official within the IRS----
    Mr. Jordan. I understand that.
    Mr. Werfel. --and second is technical knowledge and 
expertise on this subject matter.
    The hearing invite that we received asked us to pay 
particular attention on our coordination with other agencies, 
HHS and IRS coordinations, regarding safeguards of the personal 
data of individuals who purchase coverage through the 
exchanges.
    So what I suggested to Mr. Lankford is a combination of me, 
the most senior accountable official in the organization, and 
the Chief Technology Officer of the IRS, Mr. Milholland----
    Mr. Jordan. And, Mr. Werfel----
    Mr. Werfel. --would provide the best input to the 
substantive----
    Mr. Jordan. I get it, Mr. Werfel.
    Mr. Werfel. --content of this hearing.
    Mr. Jordan. And I respect that.
    But if I could, Mr. Chairman, we have the minutes, we have 
the meeting notes from that presentation given by Ms. Hall 
Ingram----
    Mr. Werfel. She's knowledgeable on these issues. I'm 
saying----
    Mr. Jordan. No, no, no, but let me just read.
    Mr. Werfel. --Mr. Milholland is more knowledgeable.
    Mr. Jordan. Just let me read. Well, if he's more 
knowledgeable, why didn't he do that briefing?
    So let me ask you--here's what it says. ``Ms. Ingram 
discussed the security and safeguard programs at the IRS, that 
the IRS has in place regarding sharing of data among its 
partners.'' If he's the expert, he should've done that 
briefing.
    And, frankly, the chairman didn't ask for Mr. Milholland. 
They asked for Ms. Sarah Hall Ingram, who is head of the 
Affordable Care Act Office at the IRS.
    Mr. Chairman, I yield back. But, I mean, look, we've got 
the two biggest issues, maybe the two biggest issues in the 
country, the lady who's at the center of the storm in both of 
those. We asked her to come here, and she doesn't come. Even 
though she's briefing everybody else on the issue, she won't 
come brief the Congress, just like Lois Lerner won't talk to 
Congress.
    Ms. Speier. Mr. Chairman, I have a point of inquiry.
    Mr. Lankford. Yes, ma'am.
    Ms. Speier. We have a 5-minute limit per Member. Mr. Jordan 
just exceeded it by 1 minute and 48 seconds.
    This is a hearing on evaluating privacy security and fraud 
as it relates to ACA, and this entire questioning was whether 
or not a particular individual should have been here versus the 
head of the agency.
    If we are going to conduct this hearing----
    Mr. Jordan. Mr. Chairman?
    Ms. Speier. --as a witch hunt----
    Mr. Jordan. It's not a witch hunt Mr. Chairman.
    Mr. Lankford. Hold on.
    Mr. Jordan. Would the gentlelady yield?
    Mr. Lankford. The gentlelady has the time. Hold on.
    Ms. Speier. --then I will object. I want this to be an 
oversight hearing by this committee. You have shown great 
leadership in this committee.
    I believe that what we should be doing is looking at where 
the holes are, in terms of making sure the ACA is effective as 
it is rolled out, where the resources need to be employed, 
where there may be loopholes, where there are issues that we 
have to address. And that's what I hope this hearing will 
continue to do.
    Mr. Lankford. There are multiples of those----
    Mr. Jordan. Mr. Chairman?
    Mr. Lankford. I will yield to the gentleman.
    Mr. Jordan. I would just ask unanimous consent to enter the 
meeting notes from the very meeting Ms. Hall Ingram briefed the 
IRS Oversight Board, specifically this sentence: ``Ms. Ingram 
discussed the security and safeguard programs the IRS has in 
place regarding the sharing of data among its partners, 
including those for ACA programs,'' end of story.
    Mr. Lankford. Yeah. Without objection.
    Mr. Lankford. The time period is obviously at the 
discretion of the chair. There have been a couple Members that 
have gone over by a couple minutes, some as long as 2 minutes, 
actually, so far in our time period.
    We are going to try to honor the 5-minute time period, but 
I've always been fairly loose on that with Members on both 
sides, that if there is an appropriate question that's going on 
and they want to give an appropriate response--and, Mr. Werfel, 
I do want you to still have time to respond to Mr. Jordan's 
question that he ended with, if you choose, to be able to do 
that, as well.
    We did have an interchange, we had multiple conversations 
on that. It was very respectful of your position. You obviously 
have a difficult spot. You're walking into the middle of a lot 
of issues with the IRS. This is one of several and a moving 
target.
    I did express to Mr. Werfel that I felt Mrs. Ingram seemed 
to be, as we're looking at the flowchart, the best person to be 
there. Obviously, Mr. Milholland has a crucial role in the data 
transfers on that. Mr. Chao has an incredible role in this from 
the HHS perspective and what's happening. A lot of what we're 
dealing with deals specifically with the regulatory nature of 
this.
    So, Mr. Werfel----
    Mr. Werfel. The only thing I would say--and I can be very 
brief--is that there are multiple people within the IRS with 
substantive understanding of the issues of 6103 and the 
safeguarding. You have two individuals right now, one that's 
the accountable official and one who is a subject matter expert 
on the issue, and we're here and ready to answer any 
substantive questions you have on these matters.
    Mr. Lankford. Yeah, we will continue to press on with that. 

    Mr. Cardenas, you are recognized.
    Mr. Cardenas. Thank you very much, Mr. Chairman.
    I would like to compliment the witnesses so far. It must be 
pretty trying, trying to stay on point even though some of the 
questions are trying to take us all off point here. And it's 
unfortunate that some members of this committee and this 
subcommittee are just hellbent on wanting to bring issues back 
before the public that really are not as relevant as the 
substantive issues as to why this hearing was even convened. 
But I would like to get us back on point.
    In an opinion piece published in the U.S. News and World 
Report in June, Congress Representative Diane Black made 
allegations about the data hub that we're talking about today. 
I'd like to mention one in particular and would invite the 
panel to comment and clarify, if necessary, about this 
information that was put out to the public by Congresswoman 
Diane Black.
    Congresswoman Black wrote, and I quote, ``For the purposes 
of implementing and enforcing Obamacare, the Department of 
Health and Human Services, through regulator fiat, is building 
this hub, a Web portal where personal information such as 
medical records, tax and financial information, criminal 
background, and immigration status will be shared and 
transmitted between agencies, including the IRS, HHS, the 
Department of Justice, Department of Homeland Security, and the 
Social Security Administration, as well as State governments.'' 
All right? And that's the end of that quote.
    Ms. Tavenner and Mr. Chao, can you clarify, will personal 
medical records be accessible through the data hub?
    Mr. Chao. No, they will not be.
    I think the quote or the description is a bit inaccurate, 
in terms of it doesn't describe about the flow of information, 
the type of data, and, certainly, we are not collecting, you 
know, personally identifiable health information on any 
individuals throughout this application process.
    Mr. Cardenas. Anything else on that point?
    Okay. Thank you.
    It's important that there perhaps should be penalties for 
any misuse or disclosure of information. As far as you can 
tell, would there need to be congressional approval to 
implement levels of civil or criminal penalties for those who 
would willfully and knowingly violate privacy laws?
    Mr. Chao. I'll also defer to IRS for their piece.
    I think, for us, there are already civil and monetary kind 
of penalties under U.S. Code that govern access to Federal 
Systems, of which, you know, we do apply that. Specifically to 
this application process, I'm not aware of anything that has 
changed with that in the application of those civil monetary 
penalties under U.S. Code. So I will--I can certainly get back 
to you with more specifics on that.
    Mr. Cardenas. Thank you.
    Mr. Werfel. And I was just going to reinforce that by 
saying that the protections that we're putting in place on the 
data are leveraging longstanding, existing procedures that are 
in place, including penalties and approaches, working with the 
Inspector General, that we have long-term experience with.
    Because, as I mentioned earlier, this is not the first time 
that the law has contemplated sharing taxpayer information from 
the IRS out into other Federal agencies and other State 
agencies. And so we have a strong track record of robust 
processes, and those are going to be leveraged here.
    Mr. Cardenas. Are they getting better, those processes, as 
technology changes and as we have to defend ourselves from 
attacks?
    Mr. Milholland. I'll answer that from the point of view of 
the IRS.
    We use a defense in depth and breadth concept. That is, 
whatever the access controls might be, for example, there are 
eight levels of protection as you come into the IRS 
electronically. But there is also a breadth approach that says, 
not just access controls, but preventative measures you might 
want to take for insiders, say, and a number of implementations 
of technical capabilities that allow us to try to be detect if 
there is inappropriate access to the information.
    So these same kind of practices we pass over to our 
Safeguards group and, particularly, provide our cybersecurity 
experts from Information Technology to assist them in their 
safeguard reviews. So those reviews that take place outside of 
the IRS have the best technical support that's available to the 
IRS, in which we've built what we believe is a--I'll say a 
best-in-civil-government approach to information security.
    Mr. Cardenas. Thank you very much.
    With what little time I have left, I would like to thank 
the panelists. I think you've been doing a really good job 
trying to stay on point and continuing to answer the questions 
as honestly and forthrightfully as you should be before any 
congressional hearing.
    And I would hope that you would share with your colleagues, 
whenever they're summoned to this committee or any committee, 
to watch this tape so that you can show them that you can stand 
your ground and don't succumb to badgering and things of that 
nature trying to get you off point. Thank you so much for your 
professionalism.
    I yield back.
    Mr. Lankford. Mr. Walberg?
    Mr. Walberg. Thank you, Mr. Chairman.
    And thank you to the panel for being here. And we're not 
going to attempt to badger in any way, but we would like 
answers to questions as quickly as possible.
    Ms. Tavenner, thank you for being here. Let me ask you, in 
relation to the HHS issuing a final rule that requires a 
taxpayer enrolled in a health plan through a State exchange to 
report certain changes in circumstances within 30 days, these 
include changes in residency, as I read it, and income. Is that 
accurate?
    Ms. Tavenner. I believe so, but I'd have to double-check 
the rules.
    Mr. Walberg. Well, let me follow up, hoping that maybe this 
will help.
    The question I would have: If, indeed, this is the case, a 
30-day requirement, if I get a raise, if I get a demotion, if I 
start a new job, if I lose a job, am I required to run to my 
State exchange and notify them of those changes?
    Mr. Chao, if you could.
    Mr. Chao. Commissioner Werfel mentioned earlier that the 
process allows for a reconciliation via the tax-return-filing 
process of any advance premium tax credits that were paid on 
your behalf to the issuer that you enrolled in. And while we, 
on a consumer, you know, kind of customer service perspective, 
ask people to report it as early as possible----
    Mr. Walberg. Well, it says 30 days.
    Mr. Chao. Yes. Yes. And----
    Mr. Walberg. But you're going to be flexible on that?
    Mr. Chao. Well, I think, you know, by requirement, it's 30 
days, but if something were not to be, you know, kind of 
reported in that time span--and we are recommending for people 
to report changes timely--there is the reconciliation that will 
kind of pick up any adjustments that are necessary.
    Mr. Walberg. So even I leave a State where my exchange was, 
or my marketplace, I guess is the new term, I will have some 
flexibility on reporting?
    Mr. Chao. Correct.
    Mr. Walberg. Okay.
    Let me move on. Ms. Tavenner, this is just a yes/no series 
of questions and answers here.
    Will exchanges be allowed to enroll individuals to receive 
advance premium tax credits even if their income cannot be 
verified by the IRS, yes or no?
    Ms. Tavenner. I think there are several steps, but, yes, 
there is a possibility that if their income can't be verified 
they could still be eligible after they complete another series 
of tests.
    Mr. Walberg. Will exchanges be allowed to enroll 
individuals to receive advance premium tax credits even if 
their household size cannot be verified by the IRS?
    Ms. Tavenner. I think household size is verified by the 
individual and to the extent that IRS can provide it. But, yes, 
there are additional steps, including self-attestation.
    Mr. Walberg. Will exchanges be allowed to enroll 
individuals to receive advance premium tax credits even if 
their citizenship status cannot be verified by the Department 
of Homeland Security?
    Ms. Tavenner. As you are aware, the Affordable Care Act 
only allows if we are able to verify citizenship or----
    Mr. Walberg. Well, in this case, they're saying they are; 
there's no firm verification. So another flexible area where 
we're really uncertain whether the benefits are allowed or not 
allowed, right?
    Mr. Chao. The process works in that, when there are 
accurate data sources to verify against what's on the 
application, it is done so, you know, online in realtime.
    There are cases in which when data and information is not 
necessarily in synchronization with what the person is 
reporting as the household, we have a step in the process 
whereby they move into an inconsistency period in which we have 
eligibility support workers. It's a complement of almost, like, 
customer service reps that will work with you to identify, you 
know, other means to verify, you know, your household size, 
your income.
    And while it's kind of a labor-intensive process, we have 
built that in so that we can get as accurate a determination 
and enrollment as possible.
    Mr. Walberg. But while it's going on, it's very uncertain?
    Mr. Chao. No, it's a process----
    Mr. Walberg. Citizenship status----
    Mr. Chao. Well, for the consumer's sake or the household's 
sake, the process continues, and they move on to receiving 
coverage and enrollment in a QHP. But we're, in the back end, 
making sure that that data is accurate.
    Mr. Walberg. Will exchanges be allowed to enroll 
individuals who receive advance premium tax credits even if 
their Social Security number cannot be verified?
    Mr. Chao. No. That process will go into that inconsistency 
or exception process, and that's probably a pre-, early kind of 
step in the process, because the first thing we have to do is 
to validate a Social Security number via SSA before we talk to 
IRS with that validated Social Security number.
    Mr. Walberg. If they haven't had any previous tax returns, 
for instance----
    Mr. Chao. Well, that's why----
    Mr. Walberg. --how do you verify this?
    Mr. Chao. That's why we have that inconsistency process 
whereby for 90 days we will work with the applicant filer to 
make sure that that information, the required information, is 
validated on the application.
    Mr. Walberg. Mr. Chairman, my time has expired. Thank you 
for the additional time. This is an uncertain setting, isn't 
it?
    Mr. Lankford. Ms. Lujan Grisham?
    Ms. Lujan Grisham. Mr. Chairman, thank you very much.
    And I also appreciate the opportunity to talk about the 
readiness and capability and make sure that we're covering 
broad consumer protections, specifically privacy.
    I might point out before I get to my question that States 
for decades have been collecting financial and healthcare 
information from Medicaid recipients, including children, and 
working very hard as the technology opportunities have enhanced 
to make that interoperable and realtime so that individuals 
aren't doing independent applications by hand between one 
department that's covering developmentally disabled populations 
and another department that's doing brain injury and another 
department that's responsible for level of care and another 
department that's required to do the financial verifications, 
including going to their bank statements.
    And we're doing that successfully. And, in fact, after 20 
years, I'm not aware of a single State that's had privacy 
issues as the core issue, by any stretch of the imagination, or 
those consumer protections. We've had issues about Medicaid 
implementation, effectiveness, some fraud by providers, and all 
things that we should be looking after. But I'm not aware of 
anything, including hospitals and their discharge work and 
their own Medicaid eligibility sending provider to provider and 
provider to State, in fact, the very same information that 
we're now going to do at the Federal level.
    So I'm happy to say that New Mexico is one of those States 
that is glad to help you do this, because we've been doing it 
successfully in many of these components for a long, long time.
    But to be successful, I'm concerned--and you might have 
covered this already--I'm concerned about having a budget that 
gives you the staff, that checks, that double-checks, that 
makes sure that you're meeting the requirements that we intend 
in Congress, both for consumer protection and to make sure that 
we get these eligibility issues streamlined effectively since 
we're using a Web-based aspect here.
    So the Republican budget out of the Appropriations 
Committee cuts your budget by 24 percent. And I recognize that 
this committee is concerned about IRS issues; I'm concerned. I 
introduced legislation that would clarify that ``exclusive'' 
means exclusive for 501(c)(4)s. I don't believe that there's 
been targeting, but I think we don't have the right processes 
involved to do it adequately and objectively and correctly. So 
this will, I think, help us.
    Commissioner Werfel, can you talk to me again specifically 
about what a 24 percent budget cut does to adequately and 
efficiently implement the requirements of the Affordable Care 
Act by the IRS?
    Mr. Werfel. It's extremely challenging, in general. I think 
when you talk about a 24 percent budget cut for the IRS, you 
have to start with the reality that all of our mission-critical 
activities will be severely impacted. That means our ability to 
collect revenue, work with taxpayers to help them navigate the 
Tax Code, do enforcement, go after bad actors who are seeking 
to defraud the system, meet other mandates.
    We have many legal mandates on our plate right now. We have 
work that we're doing under a law that's called FATCA that 
deals with disclosing information that's in offshore accounts 
that's unreported. We have legal mandates under that.
    So when you talk about a 24 percent cut, you really are 
negatively impacting taxpayers--small businesses, individuals, 
families----
    Ms. Lujan Grisham. So this has effects well beyond the 
Affordable Care Act.
    Mr. Werfel. Absolutely.
    Ms. Lujan Grisham. And while, before I lose my minute, I 
want to make sure that you hit some of the specifics about the 
Affordable Care Act, and I want you to highlight that for every 
dollar that comes into the IRS--that includes the staffing 
resources to do the work that you're required to do--it brings 
in about 6 Federal dollars.
    And, for me, this seems like a very political attempt to 
undermine the implementation of the Affordable Care Act instead 
of what this committee, in particular, should do, is to make 
sure that the IRS can meet all of its obligations under current 
law.
    Mr. Werfel. Right. So I think the ACA tracks some of the 
broader responsibilities for the IRS. Our efforts to 
modernize--and here, for the ACA, we have to build technologies 
to meet these mandates. That certainly would be impacted by 
severe budget cuts.
    Our ability to work with taxpayers, whether on the phone or 
build new tools through IRS.gov so that they have clarity, 
whether it's an individual or an employer, we do that in the 
tax law generally. It would certainly be impacted by the ACA. 
Harder to get someone on the phone, harder to get information 
at a taxpayer assistance center, et cetera.
    And then we have protecting information. You know, we have 
people in place that are doing these reviews and oversight of 
agencies that hold taxpayer data. Significant and severe budget 
cuts would impact our ability to secure the data.
    And then, obviously, enforcement has been a major theme in 
this hearing about fraud. We have to have tools in place, both 
technology and analytics and expertise and criminal 
enforcement, to make sure that everyone's playing on a level 
playing field and no one's getting a benefit or money that they 
don't deserve.
    Everything I just said, I think, is relevant across the 
IRS. Everything I just said is relevant to the ACA. And I 
welcome a debate and a dialogue around the IRS budget and, in 
particular, what a 24 percent cut would do.
    Again, my bottom line is I think it's important to look at 
it from the perspective of the taxpayer--the individual, the 
small business, the large business, the nonprofit, whatever it 
is. They will face very significant concerns and consequences 
with a 24 percent cut to the IRS, because they won't be able to 
access critical services. Because the Tax Code doesn't go away. 
They still have to comply with the Tax Code. They still have to 
comply, and they often seek and get IRS help in doing so. And 
our ability to provide that help and assistance will be 
compromised.
    Ms. Lujan Grisham. Mr. Chairman, I'm well over my time. I 
seek the committee's indulgence for a quick follow-up?
    Mr. Lankford. Yes.
    Ms. Lujan Grisham. Quickly, so you're going to have to move 
staff and shift your priorities. Have you thought about where 
you would start? Give me that. Where would you shift personnel 
to meet the Affordable Care Act implementation?
    Mr. Werfel. Well, we're already starting--you know, if you 
look at the sequester impacts, we're already, for example, our 
taxpayer assistant centers are closing at 1:30 now, and so less 
people are getting in. Our call centers have less people 
sitting ready to take calls, so our level of service numbers 
are going down.
    Ms. Lujan Grisham. Okay.
    Mr. Werfel. I mean, it's just--the budget cuts that we 
face, the billion dollars between 2010 and 2013, which in part 
is due to sequester, are impacting our ability to serve and to 
enforce.
    Ms. Lujan Grisham. Thank you.
    Thank you, Mr. Chairman, for your indulgence, and the 
committee's as well. I yield back.
    Mr. Lankford. I recognize the chairman of the full 
committee, Mr. Issa. 
    Mr. Issa. Thank you.
    Mr. Werfel, when did you start at OMB?
    Mr. Werfel. August 4th, 1997.
    Mr. Issa. And you've got 63 days or so in your current job.
    Mr. Werfel. Yeah, I'm coming up on my 2-month mark.
    Mr. Issa. And so you were in a key position to work with 
the President, quite frankly, during the discussion leading up 
to his offering and signing what became known as sequestration, 
right?
    Mr. Werfel. I was not involved in the Budget Control Act 
negotiations. I was involved, back in August 2011 when the 
Budget Control Act--my role was to work with the Treasury 
Department to prepare administratively for a potential breach 
of the debt limit. But I wasn't on the side of----
    Mr. Issa. Okay. Well, I'm just trying to understand the 
revisionism that's going on here. OMB did have a critical role, 
broadly, in the decision that the President made to go for 
sequestration. So, you know, you're sort of feigning that this 
is so terrible, when, in fact, this was the President's 
decision, and now that it's become law and it's affecting you, 
you're saying you can't do your job. Well, I appreciate that 
that may be true, but let's go through some numbers.
    While you were at OMB, you opposed the DATA Act that was 
passed unanimously out of this committee. To a certain extent, 
you were helpful in making sure the Senate never picked it up.
    Now, the reason for the DATA Act was to mandate structured 
data so that interoperability of government databases with 
strong enough metadata to secure and ensure that confidential 
information would always be in a way that it could not 
accidentally go from field to field in some sort of a mix so 
that organizations like the IRS, when they want to look at SEC 
and they want to look at multitude of filings, would be able to 
look at that data transparently in order to do better audits 
with less people.
    Isn't that roughly what we sold to the Senate but they 
didn't buy?
    Mr. Werfel. As I've testified before this committee wearing 
my former hat, I personally and I think the administration 
agreed with the objectives of the DATA Act. Our concerns were 
not about what you were trying to achieve; it was the how. And 
we were concerned about some of the additional bureaucratic 
layers of new organizations in place with roles and 
responsibilities on data standardization, which is what caused 
us our concerns.
    Mr. Issa. You know, what's amazing is I didn't get offered 
one amendment from the administration in order to perfect that. 
And, candidly, what we're talking about here today, data 
security and the comfort level that interoperable databases and 
particularly those that are exposed to non-IRS employees, which 
will be every piece of information that we care about almost 
when it comes to our tax records and earnings and ultimately 
the healthcare information, is not going to be covered by a 
mandate but rather by good intentions.
    Let me go through one quick question here. As part of this 
process, this committee has been looking at the IRS and figured 
out that you gave, you know, $260 million, but a total of about 
half a billion dollars was given to a company that was at best 
a shell and perhaps a fraud. This committee had their CEO there 
recently. And you've had to finally cancel that contract. But 
on July 4th, 2013, CMS awarded a potential 5-year contract 
worth $1.2 billion to a British company, Serco.
    Now, at least our information is that the FBI has also 
discovered Serco's computer systems serving with the Federal 
Thrift Savings Plan were hacked. In other words, these people 
who are going to run this data have already compromised, 
according to the FBI, 123,000 Social Security numbers. 
Additionally, the FBI has discovered that--oh, I'm sorry, 
that's a repeat. Additionally, they're also being investigated 
in Britain at some point.
    I guess my question is--Serco has an incredibly large 
contract and have proven, as of right now, a failure. Can you 
say with confidence that if we give them this much larger 
contract, that on day one they're not going to be in a position 
to compromise another 123,000 Social Security numbers? 
    Mr. Chao. The Serco contract is actually with CMS, and it's 
called the eligibility support worker contract.
    And we've been working with Serco--just recently, you know, 
they've been awarded, so for the past 2 weeks we've been 
ramping up. And one of the top issues that we're going over is 
the security rules and procedures and policies that apply to 
them under the general, kind of, FISMA Act of 2012, HIPAA, and 
their own corporate practices and procedures. They----
    Mr. Issa. Right. But did you know about these problems and 
failures before you awarded the contract?
    Mr. Chao. No, I was not a part of the contract award 
process----
    Mr. Issa. Okay, but now that you know about it, we're 
working with an entity that apparently does not have the 
internal controls or track record, and yet you're here today 
saying that, in a matter of days, they're going to have a major 
role in major data; is that correct?
    So we're working to get a group up to speed that doesn't 
have a proven track record. My whole question to you is, in the 
awarding of a contract, wouldn't you need an assurance before--
I mean, in other words, I'm not saying you couldn't make them 
ready for prime time in a year or 2. The question is, where's 
the pilot, where's the proof, where's the confidence that what 
has just recently happened won't happen again?
    You know, I don't normally have something in front of me 
that says the FBI has this problem and you've got a brand-new 
contract pursuant to Obamacare.
    Let me just hit one more point.
    Mr. Werfel, this committee has a broad set of 
investigations going on related to the organization you're 
trying to fix, and today is one part of our concern. But you're 
familiar with the 6103, what it means; is that correct?
    Mr. Werfel. Yes, sir.
    Mr. Issa. And 6103 was designed and passed into law to 
protect the American taxpayer from his or her tax records being 
looked at by outsiders or released; is that correct?
    Mr. Werfel. Yes.
    Mr. Issa. Was it ever intended to protect from Congress 
finding out when taxpayers have been abused? In other words, 
should there ever be a claim of 6103 when the victim themselves 
is asking for the release of the information?
    Mr. Werfel. Well, I think you're raising a policy question 
in terms of how 6103 is structured. Right now, it's 
specifically structured to prevent us from sharing certain 
information except to the authorizing tax committees. Whether 
that should be expanded or not I think is a public policy 
discussion on the nature of 6103. But we follow the law, and 
the law requires us to restrict access, except to Ways and 
Means.
    Mr. Issa. Right. But--and I'm going to finish, because I'm 
trying not to go any further over time.
    The fact is that if we don't know the name and the Social 
Security number or Federal ID of an entity, we don't know their 
address, and we don't see financial information, that was the 
intent of 6103. Today, your organization is working to say 
that, for example, knowing how many groups waited how long, how 
many groups are still waiting, those kinds of answers, and 
whether there is so much as one individual.
    And I'll give you an example here today. There are the so-
called test cases that we've had, two test cases. When we ask, 
is one of them still waiting, and we find out, yes, one of them 
is still waiting, people are saying, well--and I sent you a 
letter yesterday, with the other chairman and subcommittee 
chairman--we're being told, well, that may be 6103.
    To know that a victim was isolated 3 years ago, pulled 
aside, and has never been given a ``yes'' or ``no'' answer, to 
know that they're still not giving a ``yes'' or ``no'' answer, 
the claim that that's 6103 is a claim that, in fact, Congress 
and the public is not entitled to know that information.
    And I ask it that way for a reason. I understand another 
committee can see certain information, but it's the public 
that's entitled to know.
    Isn't it true that at least one entity that applied more 
than 2 years ago still does not have a ``yes'' or ``no'' after 
the abuse that has become public that we're all aware about as 
to ``Patriot'' and ``Tea Party'' organizations?
    Mr. Werfel. So, three quick responses.
    One, just to reemphasize, we do share the information, but 
the law restricts us from sharing it only with the chairman of 
House Ways and Means and the chairman of Senate Finance.
    Second, a taxpayer can, under 6103, authorize broader 
disclosure. They can waive their rights, and you can get the 
taxpayer to--say, ``It's important to make this publicly aware, 
but I need you to sign something,'' and often taxpayers agree 
to do that.
    And, third, with respect to--you know, as I've testified 
before you, I'm concerned about the delay that we've seen in 
application packages in our Exempt Organizations unit. And 
perhaps in a different setting, whether off the record or on, I 
can walk you through very important reforms that we're making 
to our 501(c)(4) process to correct that from ever happening 
again.
    Mr. Issa. Well, just for the record, if an organization 
says, we'll waive our 6103 rights so the committee can see the 
individual records, the IRS's current position is they won't 
show us the emails where they conspired against or debated 
that, ultimately, we don't need to see their records, they can 
hand us their records. We need to see who at the IRS was 
delaying and denying and dealing with it, and that's individual 
emails with specificity as to those 501(c)(4)s.
    Thank you. I yield back.
    Mr. Lankford. Ms. Maloney?
    Mrs. Maloney. Well, thank you.
    The chairman raised an important point, that a contractor 
received this contract on very sensitive information, an 
important one, and, according to his words, it doesn't have a 
proven track record.
    You know, I want to know how that happened. Don't you look 
into the backgrounds to make sure they know what they're doing? 
I'd like to speak to Mr. Chao.
    And, also, I would like you, Mr. Chao, to also talk about 
how difficult it is to reconfigure the data hub that you are 
now raising and running if a State decides to assume more or 
less responsibility for an exchange. Are you adaptable?
    Now, I would like to put a little good news into the 
hearing today. The New York Times reports that the health-plan 
costs for New Yorkers is set to fall 50 percent. Now, this is 
great news for consumers, and it's an extraordinary decline in 
New York's insurance rates for individual consumers.
    So it shows the profound promise of the Affordable Care 
Act. But you can't get to the Affordable Care Act if the 
computer system isn't working. So this is a very clear thing, 
and I'd like to know more about it.
    But I'd like you to comment on this article and how your 
hub can address--I know that some States have not gotten their 
exchanges up and running. So how are you adjusting with States 
that don't have it up and running?
    New York State, to its credit, has gotten it up and 
running, and it has great promise for consumers.
    So how are we making this configuration? And I guess, Mr. 
Chao, as the head of the hub, maybe you should be the one to 
answer.
    Ms. Tavenner. Congresswoman, with your permission, could I 
address the New York issue and the Serco issue?
    Mrs. Maloney. Sure.
    Ms. Tavenner. On the New York issue, we were obviously 
pleased to see that this morning. And I think it reaffirms what 
competition and transparency can do in a marketplace, and that 
really is what we're doing in the Affordable Care Act, 
effective in October and beyond.
    On the Serco issue, notwithstanding what the chairman just 
brought to our attention, Serco is a highly skilled company 
that has a proven track record in this country and has done a 
lot of work with other Federal agencies. We are actually 
working with the U.S. corporation, and they are actually 
present in three States. And we--they were awarded through a 
full and open competition, so, obviously, they do have a track 
record with security and privacy.
    And I'll turn it over to Henry to answer the other 
question.
    Mrs. Maloney. You know, but, also, can the system handle 
the varying degrees of astuteness or availability or readiness 
of different States?
    Ms. Tavenner. Yes, and that's where I think Henry comes in.
    Mrs. Maloney. Do you have a different system for each 
State, or is it all one central, big system? And is it 
government or private?
    Mr. Chao. The federally facilitated marketplace system is 
comprised of several actual, you know, kind of, working pieces 
of system architectures that perform eligibility enrollment, 
QHP and plan management functions, financial management, you 
know, generating payments for the issuers.
    The hub, as we mentioned earlier, is a routing tool. It 
affords the efficiencies that are needed for multiple points 
that are requesting the same information from authoritative 
data sources to connect to those data sources, and then 
enforced with a uniform service level.
    That is a scaleable system that is government-owned, and--
it's privately contracted, but it is government-owned. It is--
--
    Mrs. Maloney. Who will run it? Will the government run it, 
or will the private sector run it?
    Mr. Chao. It's a combination of government, you know, staff 
and contracting staff that will staff an operations center that 
actually monitors its operations 24 hours a day.
    Mrs. Maloney. And where is it located?
    Mr. Chao. It's in Columbia, Maryland.
    Mrs. Maloney. Uh-huh.
    Ms. Tavenner. And I would add that one of the advantages of 
having this hub is that, whether States or State-based 
exchanges or some type of partnership model or whether they 
default to the federally facilitated exchange, it's 
transparent. It's easy for us to make those changes. And that's 
part of the----
    Mrs. Maloney. And what is there to protect the privacy of 
the individuals' health records? How do you protect that?
    Mr. Chao. Well, first of all, we don't collect any health 
record information or store health records. I think that's an 
interaction between a consumer that ultimately is enrolled in a 
qualified health plan and then, working with that health plan, 
accessing benefits and utilizing benefits, that that 
relationship affords the ability to collect and store and 
process. That's a relationship between the consumer and the 
health plan.
    The ability for us to protect privacy of the individual is 
working with SSA and IRS and in enforcing the very stringent, 
you know, and rightfully so, 6103 provision and flowing that 
through, you know, Mr. Milholland and other chief technology 
officers and chief information officers from around the Federal 
Government, worked with as a group to develop what we call the 
harmonized privacy and security framework.
    Even though each agency operates under very strict 
guidelines, its own guidelines to operationalize FISMA and 
HIPAA and 6103 in IRS's case, we had to get together because 
this data via the hub was moving and being requested by 
multiple entities, including the State endpoints, that there 
are their own marketplaces.
    So we had to get together to make sure that the 
implementation of those security and privacy controls and 
operations was harmonized and are common across all the 
agencies and not dissimilar, as if we were implementing the 
program in different parts.
    So we got together early on to do this, to make sure that 
we have greater security and privacy, you know, kind of, 
enforcement and monitoring. And the bar is set by 6103 and the 
Privacy Act.
    Ms. Maloney. My time is expired. Thank you.
    Mr. Lankford. Mr. DesJarlais.
    Mr. DesJarlais. Thank you, Mr. Chairman.
    Ms. Tavenner, I have some questions for you, but first, Mr. 
Werfel, I just want to revisit a little bit of the dialogue 
that you had with Mr. Jordan earlier.
    He had asked you if Ms. Hall Ingram was in charge of the 
department that oversaw the targeting of conservative groups, 
and what was your response to that?
    Mr. Werfel. My response is that Ms. Hall Ingram has 
specific ACA responsibilities, but there are other individuals 
within IRS who have responsibilities at the same level, but Ms. 
Hall Ingram does play a coordinating role amongst our various 
ACA activities.
    Mr. DesJarlais. Okay. And one thing we've had, I guess, a 
hard time getting anyone from the IRS to say in multiple 
hearings that we've had is that the IRS was guilty of targeting 
conservative groups.
    You stated that you are the most senior accountable member 
at the IRS currently; is that correct?
    Mr. Werfel. That is correct.
    Mr. DesJarlais. Are you willing to go on record today and 
tell the American people that the IRS did target conservative 
groups?
    Mr. Werfel. I have said--I've testified previously that I 
believe the use of political labels to screen out applicants 
for increased scrutiny, inappropriate political labels, is 
equal to the term ``targeting,'' so I don't dispute that.
    Mr. DesJarlais. All right. Well, it's been hard to get 
someone to say that, and I know that moving forward into this 
healthcare law, that you have a credibility issue with the 
American people, and I think it's very important that you be 
forthright, and I appreciate you saying that today when so many 
others have taken the Fifth.
    Ms. Tavenner, you had testified earlier about the 
preparedness of the CMS, and you're feeling pretty comfortable 
about the ability to be ready on October 1st?
    Ms. Tavenner. Yes, sir.
    Mr. DesJarlais. Okay. I would like to submit for the 
record, without objection, Mr. Chairman, the data collection 
instrument from the GAO report from June 2013.
    Mr. Lankford. Without objection.
    Mr. DesJarlais. Okay. Ms. Tavenner, we have a document that 
was obtained that shows that CMS had only completed 20 percent 
of its work to establish appropriate privacy protections and 
the capacity to accept, store and associate and process 
documents from individual applicants and enrollees 
electronically and the ability to accept image upload 
associates and paper documentation received from applicants and 
enrollees, so the fact that Obamacare became law in March of 
2015, but yet it's just a few months ago the administration had 
completed only 20 percent of its work to establish appropriate 
privacy protections and capacity to accept, store, associate, 
and process documents from individual applicants, why would you 
say the administration failed to prioritize privacy protection 
and data-sharing standards?
    Mr. Chao. I can answer that, Congressman.
    Mr. DesJarlais. Well, Ms. Tavenner, first, you go ahead, 
and then I have a question for you Mr. Chao.
    Ms. Tavenner. Well, first of all, I would say that GAO 
reports and other reports are taken of a snapshot in time, and 
a lot of work has been completed since that time, and I will 
let Henry speak to the details of that.
    Mr. DesJarlais. Okay. Mr. Chao, are you 100 percent 
finished establishing appropriate privacy protections?
    Mr. Chao. No, we are not.
    Mr. DesJarlais. Okay. If not, how much and when will you 
be?
    Mr. Chao. I think since the last report, we are probably--
and this is a very kind of ballpark generalized roll it up kind 
of a figure, I would say with regard to the privacy and 
security, we are probably about 80 percent.
    Mr. DesJarlais. Okay. So the snapshot a couple of months 
ago, you're at 20, and now you're saying you're at 80. Are you 
going to be 100 percent on October 1st?
    Mr. Chao. Yes.
    Mr. DesJarlais. Ms. Tavenner, do you feel that that's 
reasonable that in 3 years you got to 20 percent, and now, in 
75 days, we are going to get to 100 percent?
    Ms. Tavenner. Yes.
    Mr. DesJarlais. Okay. In--also, there's 25 percent of the 
work to establish the adequate technology infrastructure and 
bandwidth to support all the activities with respect to the 
exchanges. Again, why did the Administration fail to prioritize 
this sooner? I'll ask the same question, Ms. Tavenner.
    Ms. Tavenner. I don't know that it's a failure to 
prioritize. There is a certain workflow that has to--actually, 
first you have to put the regulations in process, then you 
start to develop the product from the regulations, and this is 
just the work in progress as any complicated project. We are 
now within the 90-day period of completing the work.
    Mr. DesJarlais. Mr. Chao, the CMS document given to GAO 
says that the estimated completion date establishing an 
adequate technology infrastructure and bandwidth was July 1st, 
2013. Did you meet your deadline for completion of this task?
    Mr. Chao. We have. It's a constant changing target because 
the target is actually----
    Mr. DesJarlais. The deadline is moving.
    Mr. Chao. No, the target is October 1st, and we make 
adjustments as we go to make sure that that target of October 
1st is not missed. As of this month, all the infrastructure and 
the required, you know, hardware, software capacity, all of 
that is available and up and running. The specific application 
software, such as the ``My Account'' that I talked about 
earlier, the enrollment and eligibility pieces, the loading of 
the QHP information to process in enrollment and a payment to 
an issuer, that is an ongoing process. All that code and those 
databases are still being built throughout the summer.
    Mr. DesJarlais. Okay. So both of you are testifying today 
that these shortfalls that are in the report that I mentioned 
are going to be 100 percent complete on October 1st?
    Mr. Chao. Correct.
    Mr. DesJarlais. Ms. Tavenner?
    Ms. Tavenner. Yes, sir. And we certainly will have 
mitigation strategies. I think someone mentioned earlier, and 
in our opening comments, that we will be prepared. We will 
start October 1, and we will certainly have hiccups along the 
way, and we are prepared to deal with this.
    Mr. DesJarlais. Okay. Very quickly. When did you learn that 
the employer mandate would be delayed?
    Ms. Tavenner. When did I personally?
    Mr. DesJarlais. Uh-huh.
    Ms. Tavenner. On June 24th or June 25th.
    Mr. DesJarlais. Why did the President wait till July 2nd to 
announce that?
    Ms. Tavenner. I don't know. I was not part of that 
discussion, but I actually was made aware that it was being 
considered on June 24th.
    Mr. DesJarlais. All right.
    I yield back, Mr. Chairman.
    Mr. Lankford. Thank you.
    The ranking member of the full committee, Mr. Cummings.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    I want to thank you all for being here. I want to thank you 
for what you do for the American People.
    Mr. Werfel, I want to pick up on where Chairman Issa was 
going to take it to a little further. I would like to ask you 
about the ongoing investigation into the treatment of Tea Party 
applicants for tax exempt status. During our interviews, we 
have been told by more than one IRS employee that there were 
progressive or left-leaning groups that received treatment 
similar to the Tea Party applicants. As part of your internal 
review, have you identified non-Tea Party groups that received 
similar treatment?
    Mr. Werfel. Yes.
    Mr. Cummings. We were told that one category of applicants 
had their applications denied by the IRS after a 3-year review; 
is that right?
    Mr. Werfel. Yes, that's my understanding that there is a 
group or seven groups that had that experience, yes.
    Mr. Cummings. As I understand it, last week, the IRS was 
prepared to make a document production to the committee. And by 
the way, this is a request from the chairman, and those 
documents would have shown other categories of applicants, 
categories in addition to the Tea Party groups we have been 
focussing on today. Before I go any further, is that right?
    Mr. Werfel. Yes.
    Mr. Cummings. I understand that our committee does not get 
access to information about specific taxpayers. I think it's 
6103, is that right, those--there are certain that prevent us 
from getting certain information, what Mr. Issa was talking 
about earlier generally.
    Mr. Werfel. That's correct. We'll make certain redactions 
if we believe that the information would be too--have too much 
information so that you could zero in on a specific taxpayer, 
so we'll make those redactions.
    Mr. Cummings. I understand. Under 6103 of Title 26 of the 
United States Code, the IRS cannot reveal specific taxpayer 
information. In order to make these determinations, and this is 
going to what you just said, the IRS has a--have career 
employees who are experts, this is what they do.
    Mr. Werfel. Yes.
    Mr. Cummings. In determining what is covered by the 
statute; is that correct?
    Mr. Werfel. That's correct.
    Mr. Cummings. And in this case, these experts determine 
that the IRS could provide this information to the committee. 
They said the documents did not reveal specific taxpayers but 
instead referred to categories of groups just like the Tea 
Party groups; is that right?
    Mr. Werfel. Yes, that's correct.
    Mr. Cummings. So, based on this established process, we 
should have received that information last week. And by the 
way, to his credit, the chairman has been very aggressive in 
going after documents, but we did not receive that information. 
Instead, I understand that the Inspector General intervened. 
Let me say this again. It's my understanding that the Inspector 
General intervened personally.
    Now, Mr. Werfel, my question is, can you tell us what he 
did, did he call you, and what did he say?
    Mr. Werfel. Okay. The----
    Mr. Cummings. In other words, we are being denied, this 
committee is being denied documents that we have requested. Let 
me finish. And the chairman, to his credit, has been extremely 
aggressive in trying to get documents, and I have been accused, 
by the way, of obstructing the investigation, which is totally 
ridiculous.
    I want the documents. Now, tell me what the IG said that 
prevents our committee, that our honorable chairman, Mr. Issa 
requested, what did he say to you to cause us not to be able to 
get the documents after your experts told us we should have 
them? Can you tell us what--what that's all about?
    Mr. Werfel. Yes. We were imminently going to produce a 
document in an unredacted form that would indicate the identity 
of a grouping of entities that we felt were similar in kind of 
scope as Tea Party in terms of its grouping, so that it 
wouldn't be able--you wouldn't be able to identify a particular 
taxpayer because the grouping name was so broad.
    And he reached out, when he learned that we were about to 
produce this information, and expressed concern and indicated a 
disagreement with our internal experts on whether that 
information was 6103 protected or not, and out of an abundance 
of caution, the IRS decided to redact that information until we 
could sort through with the IG his position and understand why 
it's different from ours. And we've had subsequent 
conversations with him where we have reasserted our position 
that the information should not be redacted, but we have not 
reached resolution with him at this point.
    Mr. Cummings. I don't understand. I thought that the career 
officials at the IRS, the officials who do this for a living 
day after day, hour after hour, already determined that it was 
okay for the IRS to produce these documents to the committee 
that Chairman Issa requested. This seems very strange, Mr. 
Werfel. I know you just started, but has this ever, to your 
knowledge, happened before, the inspector general personally 
intervening to prevent disclosures to the Congress of the 
United States of America, have any of your staff members ever 
heard of this happening before?
    Now, you're surrounded by folks. You can look around, and 
they may tell you something different, and if they've got--if 
they've got some other answers, if they haven't been sworn in, 
Mr. Chairman, I ask that they be sworn in so we can know of 
these exceptions.
    And by the way, Mr. Chairman, I just want the same amount 
of time that Chairman Issa was given. It was a total of 10 
minutes, with unanimous consent, please.
    Mr. Werfel. I just don't know the answer to that question. 
I personally am not aware of any similar situation, but we can 
take that question back and do a broader inquiry amongst the 
IRS leadership and other professionals and get an answer.
    Mr. Cummings. I ask that you please have that answer to me, 
if you can, by tomorrow morning. We're going to be seeing the 
inspector general tomorrow, and I want to make sure that I do 
not prejudge him. I do not want to put anything out there to 
accuse him of anything and then go searching for facts. I 
simply want the truth so that we can restore the trust.
    Our interest is in getting as much information as possible. 
So, let me make sure I understand this. If the inspector 
general withdraws his objection, will you produce that 
information to the committee that Chairman Issa requested?
    Mr. Werfel. Yes.
    Mr. Cummings. Now, let me say something else. Ms. Tavenner 
and Mr. Chao, I heard Mr. DesJarlais' questions, and as I sat 
here and I listened to my good friend Mr. DesJarlais and he 
talked about, at one point, you were at 20 percent with regard 
to the privacy protections.
    And then I think you said, Mr. Chao, and correct me if I'm 
wrong, you are now at about 80 percent.
    And then you and Ms. Tavenner agreed that by October 1st 
you would be at 100 percent, and if there were any problems or 
hiccups, in your words, Ms. Tavenner, you were prepared for 
that; is that correct?
    Ms. Tavenner. Correct.
    Mr. Cummings. Well, I stop here for just a moment to thank 
you for doing what you do to prepare for something that is 
already the law. Although we are getting ready to vote on it, 
by the way, for the 38th time, it is the law, and you all have 
a duty, and I am so glad that even with all the chatter, you 
have to stay focused, you have refused to be distracted and you 
made sure that the American people--that the Affordable Care 
Act and the part that you all have to play in that, that you 
are prepared to do that, and I want to congratulate you. I know 
quite often you get negative comments, but the idea that you 
all took a monumental stance, and I want to say this to the 
other IRS employees, we appreciate it.
    Now, let me say one last thing in any last 1 minute. I've 
said it from this dais before and I will say it until I day: 
This is the United States of America. Every single person on 
this dais, if they have ever hired anybody and ran anything, 
has fired somebody, and just because we have some bad apples 
that don't do the right things does not mean that we stop 
operating. It means that we take the bad apples out, and we 
continue forward.
    This whole idea that there was a problem in the IRS and 
there are ongoing problems and the problems that you are trying 
to straighten out, Mr. Werfel, to your credit, we should not 
then suddenly wave a white flag and say, oh, we can't carry out 
the Affordable Care Act. This is America. We are better than 
that, and I know that you know that, and I get tired of people 
just because there are problems, suddenly they said, oh, no, we 
can't carry out the law. No. We are better than that. And so, I 
want to thank you all and may God bless.
    Mr. Lankford. Two quick notes here, Mr. Werfel. I know you 
have a hearing at 1:00 today. We've been at this for a little 
over 2 hours this morning. I know you need to be excused pretty 
quickly. You have time for one more question, or do you need to 
go ahead and scoot out now?
    Mr. Werfel. No, absolutely. Please.
    Mr. Lankford. Okay. It is--Mr. Woodall is up.
    Mr. Woodall. Thank you, Mr. Chairman.
    And thank you, Mr. Werfel, for spending a little more time. 
I actually had a couple of questions, too, because I think 
you're a very serious public servant. I've been a public 
servant in a couple of different capacities myself, and I think 
it's fine for us to disagree about the issues. I think you have 
to be serious about the work.
    And I appreciate Mr. Cummings' comments about you had a 
responsibility, Ms. Tavenner, you had a legal responsibility, 
and you carried it out, and he's tired of hearing excuses for 
why it is we can't get things done.
    My question to you, Mr. Werfel, is, that's what we saw on 
the Treasury blog. We just can't get things done. Ms. Tavenner 
says, we were only at 20 percent a month ago, but we are going 
to make it happen by October 1st.
    The President seems to have decided or the Secretary seems 
to have decided that, no, we just can't get things done, no 
doubt to the frustration of my friend from Maryland.
    We've got a bill on the floor this week that makes that 
statutory change, taking the Administration at its word that 
they can't get it done, we make that statutory change from 2014 
to 2015. Several times during this hearing, folks have said, we 
just have to follow the law.
    In your discussion with the Chairman about 6103, you said, 
you know, there may be some policy discussions about 6103 that 
we ought to have, but we at the IRS, we just follow the law. 
Mr. Cummings applauding CMS for following the law, doing what 
was required by law. Why is it that we don't have Treasury's 
support for making a statutory change to the law rather than 
just doing things that we would like to do administratively?
    I think one of the real challenges we have is we don't have 
any need to work together any longer. We want to do something, 
we just do it here on Capitol Hill. You guys, the 
Administration decides you don't like the way things are going, 
you just do something different. Why is it that it would not be 
better for the public servants who have to implement these 
laws, for us to actually change the law rather than do it 
through blog posts of administrative decisions?
    Mr. Werfel. The challenge that I have, Congressman, and I 
appreciate the question, is that the role that the IRS has in 
relationship to Treasury is they make determinations on policy, 
they work on whether we are going to support or oppose and how 
we are going to work with Congress on the laws itself, and we 
really are all about administration. So, from my vantage point, 
I can answer questions for you on the decision that the 
Treasury made and how it impacts the IRS' ability to implement 
the ACA, but in terms of the--whether it should be 
legislatively incorporated is something I'd have to defer to 
Treasury.
    Mr. Woodall. I understand your challenges in that and 
respect it. I think about what Mr. Cummings has said about 
applauding the good work of IRS employees across the country 
and a few bad apples. I mean, I stay regularly at town hall 
meetings. You all have a horrendous job, and the job that you 
have that is made so horrendous is made so horrendous by the 
laws that we pass here on Capitol Hill. I feel a great burden 
for the responsibility we put on you.
    I guess what I'm asking is, we just perpetuate the 
frustration with IRS employees when we put them in untenable 
positions. And putting the IRS in the untenable position of 
having statutes that require laws to be enforced and saying, 
but no, we are not going to enforce those laws simply 
perpetuates the negative stereotypes that go on out there 
today. So, understanding that you might not be able to 
speculate on why those decisions were made at Treasury, 
wouldn't you push up the ladder, hey, here's the Congress that 
wants to work with us to get this done in a statutory way for 
the House, the Senate, the President, to come together and do 
exactly what Treasury seems to be asking for, why can't we come 
together and do that? Why won't you push that message up the 
chain?
    Mr. Werfel. Well, without particularly commenting on this 
issue, I think in general what the IRS does is we--we do have a 
guiding principle that the simpler the tax code, the simpler 
the laws are, the more clear they are, the more we are going to 
be able to administer it then effectively and efficiently. And 
so, you know, we have that guiding principle, and then as we 
deal with different legal issues that arise, Treasury will 
consult with us on the administrative aspects of them.
    Mr. Woodall. I understand that, and I absolutely agree with 
that. I would say, ``shall begin after December 31st, 2013'' is 
pretty simple. I would say that subsidies shall apply to State-
based exchanges is pretty simple. We've done the best we can in 
terms of simple law, and folks have gone and reinterpreted what 
was very simple law, and that's the frustration to me as a 
legislator.
    I hear what you say to the chairman, 6103 is clear, it's 
black letter law, Mr. Chairman, we can't avoid it, and I'm 
thinking, for Pete's sake, you decided that you don't like the 
mandate timing, so you'll do something different there. You 
decide you don't like the subsidy implementation, so you'll do 
something different there. These are very serious men, the 
chairman and the ranking member, you could just decide, you 
know what, 6103, it says, Finance Committee and Ways and Means, 
Chairman, but it probably should have included the oversight 
guys, too, probably should have. The subsidies probably should 
have done the Federal exchanges. The deadline probably should 
have been a year out, but you don't.
    There is a lot of lack of confidence in America in both the 
administration and the Congress these days. We have 
opportunities to work together instead of working against each 
other, and it frustrates me that even on something as simple as 
a date change, we can't even take advantage of that opportunity 
to restore faith in the people's government here in Washington, 
and I thank you all for being here.
    Thank you, Mr. Chairman.
    Mr. Lankford. Thank you.
    Mr. Werfel, I know you've got to scoot out of here and get 
ready for the next hearing. Thank you for being here.
    Mr. Milholland, will you be able to remain or----
    Mr. Milholland. I can remain.
    Mr. Lankford. That would be great if you can, so if you 
need to answer for IRS.
    Mr. Perry.
    Mr. Perry. Thank you, Mr. Chairman.
    Ladies and gentlemen, thank you very much for being here. 
We understand on this committee that--and in Congress, that you 
have a duty to perform and you don't always necessarily agree 
with what we send out of this place, but you do your duty and 
you perform it as best you can. We appreciate that. We also 
have a duty as well, and I would take some exception with the 
statement that our duty is to make sure this works.
    We have a duty to our constituents to make sure that we 
echo their concerns and ask questions on their behalf, and on 
my part, a lot of my constituents are concerned and skeptical 
about this law and the contents therein, and so I want to ask 
some questions on their behalf.
    I guess, Mr. Chao, I'll start with you, because I'm not 
really sure who else to start with. Who--is there one person? 
Who is the charge--or who will be in charge of the data hub?
    Mr. Chao. In CMS, we typically have a combination of lead 
policy, what we call business owners of the hub. The 
administrator ultimately is accountable and responsible for any 
of the technology that we implement to support the programs, 
but the day-to-day operation is governed by a board of business 
and technical leadership in the agency.
    Mr. Perry. In CMS or the IRS?
    Mr. Chao. There is a CMS and as well as a cross agency----
    Mr. Perry. So it's a bunch of people who will never have, 
in my opinion and I think in a lot of American people's, 
because of that, there is never really going to be true 
accountability because something happens, everybody's going to 
point to everybody else. I mean, it's a--how many people are we 
talking about? Do you know? I mean, you're--you're in charge of 
some of this stuff. Do you know?
    Mr. Chao. I think what it boils down to is there is only 
less than a dozen people who are truly----
    Mr. Perry. Less than a dozen, okay, and some from our--
there are five agencies. Somebody from the five agencies, a 
person from each within the five agencies that are getting data 
in, taking data out? I mean----
    Mr. Chao. Correct.
    Mr. Perry. Okay. So, I mean, you are going to know my 
Social Security number, my email address, my home address, my 
financial information, whether I ever got a DUI, you are going 
to know--this--this portion of government, the Federal 
Government is going to know literally everything about me 
that--and everything about every 300-plus million Americans 
that they find personal and are concerned about having their 
neighbors know about, and so they're right, I think, to be 
concerned.
    Who determines what questions are asked? And I know you 
kind of alluded to, at least in one part, that you are not 
going to have personal information or personally identifiable 
information, but in another sense, I thought you said that 
you're going to know the home address, the email address, 
ethnicity. Who--who determines the question? Why is ethnicity 
important? Why is whether my wife is pregnant important? And 
when does she have to report it? Or when do you find out? What 
do you do with that?
    Mr. Chao. We make a proposal under the Paperwork Reduction 
Act, in which actually the public and Congress and anyone with 
the public at large can comment on the questions that we've 
asked, that we've included, that we felt essential to be part 
of that streamline application; that's online to apply for 
affordable care.
    Mr. Perry. So you make a recommendation, and we can provide 
comment, and what happens with our comments when we object?
    Mr. Chao. I think similar to rulemaking, we factor those 
comments in and categorize them and take a serious look at the 
policy and legal angles and technical implementation angles of 
it and we try to accommodate the kind of the very, very huge 
concerns that we get back under----
    Mr. Perry. So, you're with CMS. Why is ethnicity important? 
Who is it important to?
    Mr. Chao. I am on the IT side. I cannot answer.
    Mr. Perry. Yeah, but you're--that's the thing. You are one 
of these guys that are at the top. Are you one of the less than 
a dozen people on the committee in charge of the data hub? Are 
you one of those people?
    Mr. Chao. Yes.
    Mr. Perry. Okay. So if you don't know this, who does? Who 
knows the answer, and shouldn't you know it?
    Mr. Chao. I think within my purview, I don't try to 
question every detailed policy that I am asked to implement. I 
am more concerned about capturing the requirements to make sure 
the system is reflecting----
    Mr. Perry. But you are one of the people that weighs in on 
whether it's important or not for your organization and what 
you do, and this is the American people's personal information, 
so it needs to be important to somebody. If everybody took your 
opinion, nothing is important to anybody as long as the next 
guy said it was. I mean, the fact that you didn't know about 
this Serco. I mean, do you think the American people believe or 
know right now that all this information about them is going to 
be handed off in some form to private contractors? Do you think 
they know that?
    Mr. Chao. I think they will know because they are in charge 
of consenting to that release. We--when you----
    Mr. Perry. So, on the release, it's going to say, ``I'm 
giving my information to CMS,'' or ``I'm giving my information 
to Serco''?
    Mr. Chao. It's actually the process. So if you're in that 
inconsistency period, you are giving consent that we will be 
handling any issues that you have.
    Mr. Perry. You'll be handling it, but it doesn't say that 
your information will be handled through us via contract by a 
private organization who's owned by a British company or by 
MasterCard or whoever the contractor happens to be at that 
time.
    Ms. Tavenner. Let me try to help answer some of these 
questions because I think the accountability obviously stops 
with the CMS administrator, and that's me, and we do have 
business owners, and Henry is responsible for the IT 
implementation.
    Let me start with your question about health information 
and a reminder that the hub does not store any information, but 
it does not even ask for health information. The only time that 
pregnancy becomes an issue is, obviously, if someone is 
qualifying for Medicaid and there are benefits, they are 
eligible for Medicaid and maybe they're pregnant so it varies 
State By State, so that would be the reason for the pregnancy 
question.
    Much of the information that we ask is required by law, and 
if you'll remember, there a couple of months ago, we went from 
a long application process down to what we are calling a 3-page 
application for an individual who is applying on the 
marketplace. But once you start to get inside, whether it's 
Medicaid or CHIP, there may be additional questions that we 
need to answer in order to help someone get eligibility. That's 
usually done at the State level.
    There is no health information. When we work with Serco, 
Serco is helping with enrollment and eligibility, so there is 
data that we store around things such as your email address, 
such as your phone number, such as Social Security, but part of 
that is stored so that if you have a dispute about whether or 
not you were eligible or you have an appeal, we have that 
information, but it's not kept on the hub.
    Mr. Perry. It's stored somewhere.
    Ms. Tavenner. Yes.
    Mr. Perry. Mr. Chairman, with indulgence, one last 
question, is for Mr. Milholland. We heard earlier that there 
would be penalties for folks that had breached the confidence 
of the American people by providing that information to folks 
outside, tax information, so on and so forth, you work at the 
IRS. Let me ask you this, regarding the information, regarding 
targeted political organizations that we recently learned 
about, has anybody been penalized at this point that you know 
of in your organization?
    Mr. Milholland. The only thing I am aware of is people are 
no longer in the jobs they were in.
    Mr. Perry. Have they lost their pay?
    Mr. Milholland. That, I do not know.
    Mr. Perry. Thank you, Mr. Chairman. I yield back.
    Mr. Lankford. Mr. McHenry.
    Mr. McHenry. Thank you, Mr. Chairman.
    Mr. Duncan, in your March report of this year, TIGTA gave 
no indication there would be problems with the IRS' 
implementation of reporting requirements; is that correct?
    Mr. Duncan. That's correct.
    Mr. McHenry. Okay. So does that include section 6--6055 
that requires insurers to report about the coverage that they 
provide?
    Mr. Duncan. There are several information requirements from 
insurers, employers, from the exchange itself on a monthly and 
annual basis, so all that information will flow to the Internal 
Revenue Service and has to be processed, maintained and kept.
    Mr. McHenry. But you had no issues with that.
    Mr. Duncan. That is still not really done until 2014 will 
that data start to flow to the IRS.
    Mr. McHenry. Okay. But does this include section 6056 that 
requires employers provide information on the health insurance 
they provide, so----
    Mr. Duncan. We are very concerned about that with the 
recent change and the recent----
    Mr. McHenry. No, no, but prior to that. We're talking about 
your March reports. I mean, because you're there to make sure 
that we're, you know, the IRS is moving along in the path here.
    Mr. Duncan. That's correct.
    Mr. McHenry. Right. And so, in your March report, you said 
they didn't have any issues with this process of getting that 
information, right?
    Mr. Duncan. That was the information that they were 
collecting for the income and family size verification.
    Mr. McHenry. Right. That's what I have.
    Mr. Duncan. And the overall plan that they had in place 
looked good.
    Mr. McHenry. Looked good. Okay. So, you know, when we see 
the President announce this change, right, on employer mandates 
and then we see this other movement in terms of reporting 
requirements, right, which you have the business mandate, then 
the reporting requirements that the President then, through 
this administrative procedure here, they've said, well, we are 
just not really going to verify very much, right, but is there 
in basis, basis in practice, right, saying that they really 
don't have that capacity, I mean, according to TIGTA?
    Mr. Duncan. In accordance with what we reviewed in the 
application that we looked at the IRS and our understanding, as 
of today, is the IRS will continue to provide to the exchanges 
through the HHS hub----
    Mr. McHenry. All right.
    Mr. Duncan. The income and family size information. Now, we 
did not see, in our review, that there was a major change in 
the IRS need or requirement to provide that information if it's 
available.
    Mr. McHenry. Yeah, but I mean, this is the verification 
process to ensure that people are complying with it, right?
    Mr. Duncan. Yeah. I just want to make sure, though, that we 
understand that the IRS information is only one set of 
information that the exchange will use in looking at and 
determining what the final income and family size data should 
be.
    Mr. McHenry. Okay. So let's run a scenario here.
    Mr. Duncan. Uh-huh.
    Mr. McHenry. Okay. So, you know, in a state that doesn't 
expand Medicaid, for instance, North Carolina being one, and I 
represent a district in North Carolina. A man who earns 
$15,000--I am just going to walk through this scenario so 
people have an idea--would be eligible for a $3,400 subsidy if 
his employer does not extend an offer of affordable coverage to 
him or her, for instance. And so in 2014, with the Federal 
Government, would they be able to verify whether this 
individual had an offer of affordable coverage at work?
    Mr. Duncan. I assume the HHS or the exchange at the state 
level would be in a position----
    Mr. McHenry. We don't have an exchange at the State level.
    Mr. Duncan. Then the Federal exchange would have to be 
doing that, and they would ask for information from the 
Internal Revenue Service as well as other locations.
    Mr. McHenry. Okay. So, Ms. Tavenner, if an individual fails 
to report that he has an offer of affordable employer-sponsored 
insurance, right, will he receive a subsidy of that $3,400?
    Ms. Tavenner. When an individual does do the self-
attestation, they would verify whether or not they had 
employer-sponsored insurance.
    Mr. McHenry. Right, right, so they're going to say, hey, 
here's the deal, didn't get it, give me $3,400 bucks, subsidy. 
So, you know, if I'm verifying for myself, right?
    Ms. Tavenner. If you're verifying for yourself and you say 
that it's available and you didn't get it, you will not be 
eligible for the tax credit. And a reminder----
    Mr. McHenry. Right. But who's going to say I'm not eligible 
for free stuff?
    Ms. Tavenner. So, I'll remind you that you signed, when you 
complete the application, that this is under law, perjury, 
okay, so there are consequences to an individual who is not 
truthful on their application.
    Mr. McHenry. So what kind of enforcement are you going to 
have on that truthfulness?
    Ms. Tavenner. Obviously, we would follow law.
    Mr. McHenry. Right. But you have to have people to execute 
the following of the law. Are you going to ring them up and 
say, hey, by the way, were you honest then this self-
attestation?
    Ms. Tavenner. Well, we will look at ways to verify.
    Mr. McHenry. Oh, you'll look at it. Okay. We are talking 
about this going into effect this fall. We wanted something a 
little more than a look for. What is your process to verify 
that what they said was in fact true?
    Ms. Tavenner. So, we--there are a couple of ways. 
Obviously, we will verify first with the IRS, with SSA, 
information that's available. If we are not able to get 
everything we need there, we will work with private commercial 
products, such as Equifax.
    Mr. McHenry. So, Equifax would have knowledge on whether an 
employee of my brother's business was offered a health 
insurance plan that was commensurate with the requirement under 
Federal law? Equifax would have that knowledge?
    Ms. Tavenner. We are looking at a process and I'll be happy 
to get back to you with those details, so I need to get--walk 
you through the process, and I'm happy to.
    Mr. McHenry. I would think you would sort of think this 
through with this big announcement that we are going to waive 
the employer mandate, right?
    Ms. Tavenner. We are going----
    Mr. McHenry. But you leave the individual mandate, so 
people are required, under compulsion of the law, right, which 
apparently you haven't thought about the enforcement of that 
law, which is sort of interesting, and maybe sort of liberating 
for some people, by the way, that you still have it on the law, 
but you don't have any enforcement mechanism.
    Ms. Tavenner. And I'm happy to get back with you of that 
process.
    Mr. McHenry. Well, I would hope you would get back with us, 
and I hope you would think more deeply about this. When you 
testify to Congress about something this important, that you 
would have taken a little bit of time to think through that 
verification process and that enforcement mechanism that you 
have enormous authority, as well as the IRS, to enforce it.
    And so, with that, Mr. Chairman, thank you for the 
indulgence of time, and I didn't get to the fullness of the 
questions I had, but this--this is outrageous that the non-
answer that I was given. I appreciate the chairman's work on 
this.
    Mr. Lankford. Ms. Tavenner, about how much time do you 
need, do you think, to be able to come back on his question?
    Ms. Tavenner. Yes, a few days.
    Mr. Lankford. A few days. Great. Thank you for that.
    Mrs. Black.
    Mrs. Black. Thank you, Mr. Chairman.
    I want to thank you and the committee members for allowing 
me to sit on the committee and be able to ask questions to this 
very important issue. I want to thank all of you for being here 
to testify as well.
    This is something that is really very near and dear to my 
heart because I come from a State called Tennessee where we had 
TennCare. We had the pilot project. So I'm very familiar with a 
lot of what's going on.
    As has been reported by one of the members of this 
committee, there has been a lot of information out there that I 
have put out to say, there are questions that need to be 
answered, and I'm glad that you're here today to answer those.
    I do want to go back to say that it is very concerning that 
there's a conflict. There's a conflict between what you say and 
what we read, and I want to start with the first of those, 
because I want to go back to a system of records notice, and it 
says, and I quote, records are maintained with identifiers for 
all transactions for a period of 10 years after they are 
entered into the system. Records are housed in both active and 
archival files in accordance with the CMS data and document 
management policies and standards.
    It has been said over and over and over again by you, Ms. 
Tavenner, that these records are not kept.
    How is it that we see in the systems of records notice, 
this is what we are being told, and yet you say--and this is 
why there is a lack of confidence in the people of this 
country, is that we don't have confidence that what we hear and 
what is actually there matches up.
    Ms. Tavenner, can you address that?
    Ms. Tavenner. Yes, Congresswoman, I can. I have said that 
we do not store information in the hub. I have also said, and 
as obvious by what we supplied in our systems of record notice, 
that we do store information on the marketplace, which is 
separate from the hub.
    Mrs. Black. So let's be very, very clear that this 
information is being stored. When we continue to say, oh, this 
information is not stored, I think there, that people then go, 
oh, you're wrong in saying it's stored. It is stored, and we 
have documentation.
    Now, let me go to the second bullet.
    Ms. Tavenner. Well, as I said in my opening testimony, 
there are two systems, and it's important to understand that 
one is the hub, which is a router, and the other is actually--
--
    Mrs. Black. Which is a router that has a lot of people 
inputting information and taking out information, so I'm still 
not confident that what's been said here today, that all of 
this is protected because I have additional questions, which I 
know I won't have time to get to, about what are the background 
checks? Who will have that access? But let me also go to the 
next question on this, because it was referenced that there is 
no personal health information that is collected, and I want to 
go to a documentation that was put out, I guess, about 2 weeks 
ago, and this is--I am going to the section of verification of 
eligibility for minimum essential coverage other than through 
an eligible employer-sponsored program, and I am in the 
section, and I'll give you the number of that section, 155.320.
    So, here is what it says, and I am reading out of the 
fourth paragraph in here that says, ``finally, we propose and 
added a paragraph to provide consistent with 45 CFR,'' and 
there is a lot of other. I won't go through that, and this is a 
quote, ``a health plan that is a government program providing 
public benefits is expressly authorized to disclose personal 
health information, as that term is defined in 45 CFR 160.103, 
that relates to eligibility for or enrollment in the health 
plan to HHS for verification of applicant's eligibility for 
minimal essential coverage as a part of the eligibility 
determination process for advanced payments for premium tax 
credits.'' It specifically says in here that they are expressly 
authorized to disclose private health information.
    Can you speak to this?
    Mr. Chao. I can answer this. You know, something--something 
like a birth date that exists in one particular context can be 
treated very differently and called and wrapped around, for 
example, personal health information when it appears in another 
contract--context, such as your health record. I think the 
minimum essential coverage, the intent is to check other 
sources of potential coverage to determine whether that 
coverage would be duplicative, supplemental or contradictory to 
what the law has indicated that you cannot be in an exchange or 
a marketplace benefit receiving a premium tax credit and 
enrolled in something else that's also a government program.
    So, that information, when we check that, if you look at it 
in the context of how it's delivered to us, for example, from 
VA, it is part of the health record, but it is just the date of 
eligibility. We don't hold any--you know, it's is a vernacular, 
you know, kind of vocabulary contextual kind of issue, so it's 
not clinically related. It is just a check on the status of 
your eligibility.
    Mrs. Black. Well, I hear what you're saying there, but this 
specifically says, is expressly authorized to disclose personal 
health information.
    Mr. Chao. Right, but I think you were----
    Mrs. Black. Well, I am going to need to get--and we can 
have another conversation here, but I am going to need to get 
assurances that when you have an expressed authorization to 
disclose personal health information, that we give assurances 
to our constituents, my constituents that this information is 
not going to be shared with people that shouldn't be getting 
it, and I don't still have assurances in what I am seeing here.
    I think, Mr. Chairman, there needs to be many more of these 
hearings to--both for those Congressmen that are concerned 
about this as well as more importantly my constituents in the 
public who are really concerned about what has happened most 
recently with the IRS and how information has not been 
protected and people have been targeted, and likewise, I think 
there are many more questions about navigators and what kinds 
of background checks they have, what kind of training they had, 
this is something that certainly needs to be talked about a 
whole lot more.
    And again, I yield back. I know my time is up. Mr. 
Chairman, once again, thank you for allowing me to be here at 
this committee hearing.
    Mr. Meehan. [presiding.] Okay. I thank the lady, and I 
thank the panel. I know we have gone through a lot of 
questioning. There is just a few of us have some follow-up 
questioning, and you will indulge me on that. I certainly--I 
mean, I want to echo the point that was just made by the 
gentlelady from Tennessee. I mean, this is not only the idea 
that it's within the regulations that you published yourself, 
but the concept that there are certainly circumstances where a 
lot of that can be done without the consent of the individual 
whose records they are. I mean, this is--and I know it goes to 
contractors, and nobody knows who those contractors are at this 
point in time. And we are 75 days away from implementation and 
you can't identify with specificity who it is who are some of 
the contractors and what kind of things have been done, but I--
to assure the credibility of their participation in the system.
    But you talked about harmonizing, Mr. Chao and others, the 
work that's going to be done among the various agencies in this 
database, and, therefore, you are going to pull in the 
activity. And I know the IRS has a system which has been 
effective or at least the more effective, but I look at the 
agency score cards, and I am talking about harmonization, and 
this is the agency Federal department's and agency's cross 
priority goals in cybersecurity for the second quarter of 2013, 
so this is the most recent one. And when we begin to talk about 
those who are on the scorecard, two of the poorest performers 
are HHS and the Social Security Administration, both performing 
under the requirement that the executive branch will achieve 95 
percent implementation of the cybersecurity capabilities.
    So who's going to be, are we going to rise to the level of 
the IRS, or is it going to be down to the lowest common 
denominator with respect to the HHS and Social Security 
Administration
    Mr. Chao. I think, working with IRS, certainly I mentioned 
earlier, that they've set the bar for security and privacy of 
protected, you know, information. You know, specifically in 
their case, under 6103 and based upon our experience, you know, 
working with systems that process personally identifiable 
information relative to eligibility, particularly like Medicare 
eligibility or enrollment dates and history of enrollments, 
we--I can't speak for the HHS level. There are 11 operating 
divisions or agencies within HHS of which CMS is just 1 of the 
11, so I don't know if that scorecard reflects, you know, the 
individual CMS progress, but we can certainly look into that 
and get back to you.
    Mr. Meehan. Well, two of the three components that are 
going to be critical among these are the worst performers, but 
let's--let's on the part of this, is this is a dynamic network 
and people keep talking about the fact, well, information isn't 
going to be connected here or stored in one particular place, 
but it's just once one has access into this system, 
particularly in light now, the fact that it's going to have so 
many different places in which responsibility for security will 
be contained, including, as best as I can understand, the fact 
that there are at least 15 States who will be operating their 
own exchanges.
    And Mr. Duncan, maybe you can speak to some of this, but as 
plan management--Mr. Duncan, does plan management include 
security?
    Mr. Chao. I don't think Mr. Duncan can speak to that.
    Mr. Meehan. Mr. Chao. Well, let me ask him this question as 
inspector general, does plan management include security?
    Mr. Duncan. Plan management should be considered when you 
build any application; it should be baked into the application, 
for sure.
    Mr. Meehan. Mr. Chao, are you saying plan management does 
not include security?
    Mr. Chao. No, I'm saying it does include security, and plan 
management is a core function inside the federally facility----
    Mr. Meehan. Okay. Well, here I have--and this is the report 
of the GAO that was done recently establishing, it says, for 
those 15 FEEs which States will assist with plan management 
functions, CMS will rely on the States to ensure the exchanges 
are ready by October 2013.
    So, all of this work you are talking about, the fact of the 
matter is there is 15 different States and you're basically 
saying, Ms. Tavenner, well, we are going to rely on them. They 
are going to sign documents that say that they are okay, but we 
are going to rely on them. This is your document. Is that 
accurate? Ms. Tavenner.
    Ms. Tavenner. I am trying to answer. Actually, it's a 
little more interactive than that. We have oversight. Even 
when--what we do is we allow State-based exchanges to build 
their own platform, but we also work closely with them both on 
security plans, on plan management.
    Mr. Meehan. And how closely have you worked? Let me go down 
into the footnote, footnote 42. Seven of the 15 States 
submitted an application, were approved to assist and other 
plan management functions. Additional seven States were not 
required to submit an application, and CMS officials indicated 
the agency has no formal monitoring relationship with the 
States. Instead, CMS conducted a 1-day review of these States.
    So here we have the greatest data hub--the greatest data 
hub that has ever been put together with private information in 
the history of the government. It is going to be related back 
to your reliance on the States to do it. You say you have 
oversight, and by the GAO's report, what was done with seven of 
those States was you went and you spent one day on the review, 
presumably looking at a whole variety of issues, not just 
security.
    Ms. Tavenner. In this case, those seven States you're 
talking about--I don't have the benefit of your document, in 
front of me, but----
    Mr. Meehan. This is the GAO report.
    Mr. Dicken, you made the report.
    Ms. Tavenner. Yes, I've read the report, but I'm just 
saying I don't have that page in front me, but the seven page--
the seven States that you're referring to are actually 
interested in doing plan management, which is the work with the 
issuers, which is a function they do today through their State 
insurance commission, and so we do work closely with the 
insurance commission.
    Mr. Meehan. Well, what do you do to assure the security of 
the system with them, because it seems to me that you are----
    Ms. Tavenner. So the security of the system goes back to 
the hub and accessing the hub, which is part of our plan. So 
just because they do plan management that's out of State, they 
do not have a separate mechanism to enter the hub. To enter the 
hub the same way we've talked about, applies to all 50 States. 
The two are not the same.
    Mr. Chao. To add to that, we also conduct technical 
reviews, which include security components, and we sign the 
essential security documentation that's needed and agreements, 
such as computer matching agreements and data use agreements, 
with all the States. So, there are other checks and balances 
that are in place, you know, as I mentioned earlier, the 
overall security framework.
    Mr. Meehan. What assurances do we have that the States are 
capable to protect the system, at least at their entrance 
point, and that your system is capable of protecting itself 
against the high level of--of effectively cyber attacks that 
are taking down the most sophisticated systems in the world.
    Mr. Chao. I think with ingress points and connection points 
with the federally operated IT and managed IT, I think we 
definitely apply, as you well know, under Homeland Security and 
at the department level and even at the agency level, lots of 
continuous monitoring of the networks and intrusion. I think 
that----
    Mr. Meehan. It's saying that--the report that I just have 
that came down from the colleges says they can be months before 
anybody realizes that they are even in there.
    Mr. Chao. And I'm saying that with regard to the ability to 
impose the same Federal requirements on State systems and 
networks, I don't think we have applicable law that clears our 
ability to impose that on States, other than asking them to 
sign agreements.
    Mr. Meehan. My time is expired, and I need to respect the 
time.
    So I will turn it over to the gentlelady from California, 
Ms. Speier.
    Ms. Speier. Mr. Chairman, thank you.
    You know, when Medicare was first passed as a law, there 
were huge cries by many in Congress about how it was going to 
be horrific and bring socialism into this country. Fast forward 
to when we were debating the Affordable Care Act and signs 
across this country and at town halls that I was party to were 
signs that said, ``Don't touch my Medicare.'' I believe that 
there will be a time when the signs will be, ``Don't touch my 
ACA benefits.''
    I am really apologizing to each of you for what I think has 
been a counterproductive engagement today. I think most of what 
has happened has been efforts to throw sand into the gears, and 
I don't think that's what this committee is supposed to do. We 
are supposed to drill down, to find out whether or not there 
are any oversights, and if there are, help you fix those 
oversights.
    I have a lot of confidence in what you're doing. It is not 
going to be perfect out of the shoot, it just isn't, and I 
think we do great harm when we continue to spew out lies, much 
like the lies about the death panels. For those that have an 
agenda to dismantle the Affordable Care Act, this is not where 
they need to be. For those that want to make sure it works 
successfully, this is where they should be, and I want to thank 
each and every one of you for your efforts to try and make this 
a successful one.
    Now, I would like to ask one question. As you have weighed 
in, as you have dived deeply into this, implementation, is 
there is a particular area that you have some concerns about 
that we haven't addressed that we should address either by 
legislation or by information that we convey to our 
constituents?
    Ms. Tavenner. I thank you for your support, and I would say 
that our biggest concern is that we have adequate resources to 
do the--to do the work. The President's budget has proposed 
resources for 2014. It is important, if you want, and we want 
to take privacy and security seriously, we need to have the 
resources to be able to do that, and so I would appreciate your 
support in that area, and I thank you for your earlier 
comments.
    We have a great team at CMS, and we are working very hard, 
and we look forward to October 1st.
    Ms. Speier. Anyone else?
    Yes, Mr. Milholland.
    Mr. Milholland. As Mr. Werfel also commented about the 
budget issues, their primary concern is resources also, so I 
would echo Ms. Tavenner's comments.
    Ms. Speier. Mr. Duncan.
    Mr. Duncan. Yes. The inspector general has three basic 
concerns, and I think I mentioned those in my initial 
testimony, but I'll recap them. The protection of Federal tax 
data at exchanges, we believe, is a very specific requirement. 
The safeguards program at the IRS, we are currently doing an 
audit of that program as we speak, and we think they are going 
to need the resources and funding to expand significantly to 
cover the additional State exchanges and its very specific 
requirements, as has been talked about before for that.
    Also, the fraud prevention systems, that they're ready by 
January of 2015, that's the return review program at the IRS, 
which brings analytics and stops the refund from going out the 
door, not after the fact and try to recoup it after the money 
is sent out. And also, the thing we've been talking about quite 
often, which is the interagency testing--this is all the 
components, including the IRS, that there is sufficient testing 
for the entire system, not just the pieces. Those would be my 
three concerns.
    Ms. Speier. All right. Thank you.
    Anyone else?
    Mr. Dicken. I can just note from our GAO report, you know, 
I think we highlight, I have two key areas that are remaining 
that are key for the October 1st implementation. We certainly 
talked a lot today about the data hub as a key tool for that. 
We talked now some about plan management as a separate core 
function. The last core function that we spoke to was consumer 
assistance. That's an area where much of that is happening 
before October 1st and certainly another core area where there 
have been some delays and then core activities that need to 
take place by October 1st.
    Ms. Speier. All right. Mr. Chairman, let me just end by 
sharing three quotations about how people were so exercised 
about Medicare when it was being contemplated. Ronald Reagan, 
in 1961, said, ``If you don't stop Medicare, one of these days 
you and I are going to spend our sunset years telling our 
children and our children's children what it once was like in 
America when men were free.''
    George H. W. Bush, in 1964, described Medicare as 
socialized medicine.
    Barry Goldwater said, in 1964, ``Having given our 
pensioners their Medical care in kind, why not food baskets, 
why not public housing accommodations, why not vacation 
resorts, why not a ration of cigarettes for those who smoke and 
beer for those who drink?''
    We really have got to get beyond the rhetoric----
    Mr. Jordan. Would the gentlelady yield for a question?
    Ms. Speier. I am just closing. You can certainly carry on 
in your recount, but I would just say, rhetoric is not what we 
need to be talking about today. What we need to be talking 
about is the sum and substance of how we make this operate 
effectively, efficiently with privacy concerns resolved, with 
security concerns resolved and with the understanding that the 
fraud that may occur, if it is fraud, or just a misassessment 
of what one's salary is, is that, at the end, it is going to be 
figured out and payments will be made back to the U.S. Treasury 
for the fraud that may have occurred when someone said they 
were making less when they were really making more.
    Now, any other fraud that occurs, it may be a subject that 
we would have to discuss further, but at this point, Mr. 
Chairman, I thank you for chairing this hearing, and you know, 
we have had a great relationship and I look forward to more of 
the same.
    Mr. Lankford. [Presiding.] Thank you.
    Let me ask a couple of questions here. We are getting close 
because I know you all have been at this a very long time. The 
verification that they qualify for a subsidy, is that done at 
the exchange level or CMS? Who verifies that they qualify?
    Mr. Chao. The verification services are processed by CMS 
systems for Federally Facilitated Marketplaces and via the hub 
connecting to the income verification sources.
    Mr. Lankford. Okay.
    Mr. Chao. For State-based marketplaces, they do that 
themselves connected to the hub via income sources.
    Mr. Lankford. So, with that, they've got to have access to 
all of that raw data to be able to make a decision. They are 
not just getting yes-no answers. When they pull data, they're 
pulling data, so it's entering fields.
    Mr. Chao. Yes, but it's also--I don't want folks to think 
that it's a whole array of tax return information or health 
records.
    Mr. Lankford. Can we get a----
    Mr. Chao. It's very narrow.
    Mr. Lankford. Can we get a list, as it stands at this point 
right now, what information is coming down? Because I assume 
it's on their 1040, line 47, such and such, this data is made 
available. I'm trying to find out what is made available to an 
individual in that. Because if the exchange makes the decision, 
that means they've got to have access to the raw data.
    Ms. Tavenner. We can get you information----
    Mr. Lankford. That would be terrific. And just on the broad 
range, I'm sure it's all been laid out at this point, 
obviously, to know what all that involves on it.
    This came up earlier, Ms. Tavenner, about the delay in the 
employer mandate. You had mentioned late June, June 24th, that 
you had received notification that that was going to be 
delayed.
    Ms. Tavenner. Let me be clear. June 24th or June 25th.
    Mr. Lankford. That's fine.
    Ms. Tavenner. I'm not sure which day.
    Mr. Lankford. Yeah, that's fine. Yeah, I wouldn't hold you 
accountable to that, one way or the other.
    But the question is, this has to be an ongoing part of the 
conversation. This was not a sudden decision late in June, that 
the administration thought this was a bad idea, let's delay it. 
There were a lot of factors that went into it.
    Was the creation of this data hub and some of the 
connections between the employers submitting information about 
their insurance and what insurance that they're providing to 
employees and the complicated nature of that, was that a part 
of this conversation?
    Did CMS or IRS have conversations with the administration 
to say, ``We've got all of this together. This is coming 
together well. We don't yet know yet how we're going to get 
employers to tell us their information on the employees''?
    Ms. Tavenner. Mr. Chairman, I cannot speak for IRS, but we 
did not have conversation.
    Mr. Lankford. So the first you'd heard about this at all or 
people at CMS had heard about this at all was June 24th or 
25th?
    Ms. Tavenner. The first I heard of it.
    Mr. Lankford. Okay.
    Would the IRS side--where are you? Because, at some point, 
it sounds like there will be--employers will have to submit, 
``My employee has been offered this coverage.'' Is that system 
in place? Is IRS prepared to be able to do that yet?
    Mr. Milholland. That particular deliverable is 2015. This 
direction to move it to the right slides that, I think it was 
roughly about 6 months, if I recall correctly.
    But, in any case, the IRS has to be prepared on day one 
with respect to those employers who choose to voluntarily 
provide the information. So the fact that Treasury moved the 
requirement to the right for----
    Mr. Lankford. No, my question is, was there dialogue 
between IRS, Administration, Treasury, whoever it may be, to be 
able to voice, ``We don't have a mechanism to yet be able to 
verify this with the employers''? So was that a part of the 
conversation?
    Mr. Milholland. That----
    Mr. Lankford. Has there been a notification back? Because 
that, as you said, is voluntary at this point. That has all 
been moved a year back. What was the dialogue in advance.
    Mr. Milholland. I was not privy to that conversation.
    Mr. Lankford. Okay. Is there a mechanism in place--was 
there a plan to have a mechanism in place for 2014 for 
employers to be able to verify their employees do have 
qualified health plans?
    Mr. Milholland. The mechanism that was to be in place was 
that they would report to the IRS.
    Mr. Lankford. Right.
    Mr. Milholland. And, I mean, that was part of the 
requirements----
    Mr. Lankford. Is that mechanism in place now?
    Mr. Milholland. No, it's not.
    Mr. Lankford. Okay. When did that get pulled? Because I'm 
sure that didn't get pulled June the 24th or 25th, as far as 
requiring that field to be turned in.
    Mr. Milholland. But it's part of the release that will come 
later, 2015. I mean, it's not in the system as of October 1, 
which we're doing this year.
    Mr. Lankford. Right, I understand the date's been moved on 
it. Prior to the 3rd of July, when it was announced that it's 
going to be delayed, was this planned to be a part of the IRS 
reporting system----
    Mr. Milholland. The----
    Mr. Lankford. --that employers would report starting in 
this year?
    Mr. Milholland. It was part of our plan but not to be 
implemented this year.
    Mr. Lankford. So, regardless, employers weren't going to 
report either way?
    Mr. Milholland. That's correct, this year.
    Mr. Lankford. Okay. So the delay that's occurred, to say 
we're not going to require that of employers this year, already 
lines up with what happening with data anyway? Or there was a 
change in the plan to gather data this year? That's what I'm 
trying to determine.
    Mr. Milholland. I'm not sure I fully understand your 
question. I would just say again that the implementation of 
that employer reporting wouldn't happen until 2015.
    Mr. Lankford. And that was the plan from the beginning?
    Mr. Milholland. From the beginning, yes, sir.
    Mr. Lankford. Okay. That's what I'm--that's all I'm trying 
to be able to determine from there.
    Ms. Tavenner, you mentioned earlier that there are third-
party sources of financial information. You mentioned even 
Equifax or some other outside organization. What's the 
connection there on the database with third-party 
organizations?
    Mr. Chao. We're looking--because there was talk of the 
requirement to have, you know, kind of, employer offering of 
coverage, we tried to look at our current contractor 
capabilities to see if there was some commercially available 
way to do that. And it's just in conversation and discussion 
right now.
    Absent of, you know, when things were known or not known, 
it was just--you know, for me, it was understanding the 
requirement and seeing if there's a data source that's 
available.
    Mr. Lankford. And is that a hub-type relationship, to be 
able to pull data when it's needed? Or is it a matter of 
getting data from them to be able to put on to the other piece? 
Because we've talked about two different functions here.
    Mr. Chao. Yes, pulling--it would be connected to the hub to 
pull that data from the----
    Mr. Lankford. There's a tremendous amount of credit 
information out there that's in error, obviously. What I'm 
trying to determine is, now that we're fighting off three 
different agencies that have credit information, trying to get 
things fixed, we would now have to also add CMS into that mix, 
as well? That if there's an error in my system, how would 
people know what is there----
    Mr. Chao. I----
    Mr. Lankford. --and whether they'd been accepted or denied? 
And how would they get that fixed?
    Mr. Chao. Chairman, I believe that when the--you know, 
saying ``Equifax'' and ``credit report'' is almost synonymous 
these days. When we work with a company, Equifax, they have 
lots of data sources that they make available.
    Mr. Lankford. Right.
    Mr. Chao. I think the employer offer of coverage, that 
potential for having that data, is part of their overall 
working with employers to pull payroll information to help 
service benefit administration, you know, kind of, practices 
for large employers for their employees. I don't think it falls 
under the FCRA, kind of, realm of----
    Mr. Lankford. Right. But the thought on it is--well, 
there's a whole bunch of issues. Just false information at all 
is hard enough to be able to track on it.
    But the thought is here, if they work for this certain 
employer, then they have been offered care, is the assumption 
there? Or is Equifax assuming that they'll be somehow reported, 
there's an employee that works for me, this was one was 
offered, this one wasn't? Is it just a matter of they have 
payroll data so they're paid by this company, this company has 
a qualified health plan, so they must have been offered? Is 
that just the assumption?
    Mr. Chao. Based on conversation with Equifax, they are 
having conversations with their employer clients that have this 
data relationship, and they're seeing if that's something that 
the employer community wants to provide as a service or a 
benefit to their employees so that they don't have to 
constantly answer questions and queries about coming back to 
them about offer of coverage.
    Mr. Lankford. Okay.
    One last question, and then Mr. Jordan, I think, has some 
wrap-up. And we need to get you all out of here, obviously.
    The individuals within the exchanges--and we've got an 
authorized user that's been authenticated. They've signed in. 
We know who they are; yes, they're one of ours. In a State, 
they're viewing data trying to make a decision; let's say this 
is something that's not automated.
    I assume most of the decisions are going to be made with 
parameters and it's going to be automated. Is that your 
assumption, as well?
    Ms. Tavenner. We are certainly going to encourage 
automation.
    Mr. Lankford. Yeah, I would assume the vast majority--you 
have millions of people coming through. Especially initially, 
those decisions aren't going to be made on someone's desk with 
a big stack.
    Ms. Tavenner. But it will no doubt be a combination of 
manual and automation.
    Mr. Lankford. Okay. So that individual that's there within 
a State that's making a decision on it has access to all that 
information. The challenge becomes, do we have a system in 
place for background checks for those individuals, limiting 
those individuals?
    If we visit with NSA, they can tell us exactly how many 
people have access to that information. And every time that 
information is accessed, there's an accountability process with 
it. What I'm trying to determine is, there are occasionally 
authorized users that do have access to it but they use it in 
an unauthorized way, if that makes sense.
    Ms. Tavenner. So they're--and I think the question you're 
asking is, who would help someone with an application?
    Mr. Lankford. No, not necessarily. No, it's an individual 
that has access to the information; they're authenticated as a 
person that is an employee there, whether it be a private 
contractor that works for a State or a State employees that's 
been authorized to be a part of the exchange. They have access 
to that information.
    What boundaries are there that they don't use that 
information for unauthorized purposes?
    Mr. Chao. From a program management perspective, when I 
talked about the harmonized security and privacy framework--and 
I did mention that there are some things that we cannot 
necessarily enforce upon States, but we can sign agreements 
with them. And in signing these agreements, they abide by 
certain security controls and thresholds that they, in essence, 
promise to uphold as part of the security practices.
    Now, in the world of security and cybersecurity and 
awareness today and security policies and imposing this 
operationally, if you look at the multiple security frameworks 
that are available--Federal Government, State government, and 
commercial--there is a significant overlap, in that we adopt 
the same controls, such as, you know, access management, 
authentication to a certain degree of assurance in authorizing 
their entrance into the systems. So we're in agreement on a 
very vast majority--large, vast majority of controls that are 
applied.
    Mr. Lankford. Right. I'm talking about just the background 
of how do we show that this person, once they've accessed data, 
that data that they accessed is for official purposes, not 
unofficial purposes. Because you now have data that was 
previously in a closed system that's opening up a little bit to 
new people that have been accessing information. So it's--am I 
making sense on that?
    Mr. Chao. Yes. Well----
    Mr. Lankford. Again, it's an authenticated user. It's just 
not using it for authorized purposes.
    Mr. Chao. I think we have, you know, other security 
monitoring tools. We look at behaviors and trends in how people 
are using the system and----
    Mr. Lankford. Right. We'll follow up on that in the days to 
come.
    The SPR that we talked about, Safeguard Procedures Report, 
how many States currently have that, that that is done and 
complete?
    Mr. Milholland. Mr. Chairman, I'm told that all 15 have 
submitted.
    Mr. Lankford. All 15 are done?
    Mr. Milholland. Yes. And I believe the Federal exchange has 
also.
    Is that correct?
    Yes.
    Mr. Lankford. I would hope that would be the easiest of all 
of them.
    Mr. Milholland. I would also add that we've begun our 
State-by-State or exchange-by-exchange safeguards reviews, 
literally, this week.
    Mr. Lankford. Well, that would be one to watch for, just 
unauthorized use for unauthorized purposes is one to be able to 
watch and to be able to track on it.
    How many--by the way, on all of our States now for 
exchanges--this is off topic. I'm going to change to Mr. 
Jordan, because we've got to go.
    Do all of our States have more than one option on the 
exchange, at this point? Are there States that, when they get 
to the exchange, will only have one option when they get to the 
exchange?
    Ms. Tavenner. You're talking about insurers now?
    Mr. Lankford. Yes, ma'am.
    Ms. Tavenner. We will not have all of that data until the 
end of July. But we are currently--and I think this State has 
been in the press. The State that we are most concerned about 
is Mississippi.
    Mr. Lankford. Okay.
    Ms. Tavenner. Otherwise----
    Mr. Lankford. So that it looks like all States will have 
more than one option on the exchange?
    Ms. Tavenner. Correct.
    Mr. Lankford. Okay. Thank you.
    Mr. Jordan?
    Mr. Jordan. Thank you, Mr. Chairman.
    I just want to go back to where the chairman was and be 
clear. Ms. Tavenner, were you consulted at all before the 
decision was made to delay the employer mandate?
    Ms. Tavenner. I was not consulted. Now, part of that, in 
fairness, was I was also on vacation at the time. So I was 
actually notified while I was on vacation.
    Mr. Jordan. Yeah. So you were notified. So you had a cell 
phone. So they got a hold of you, they could talk. I mean, 
you're the head of CMS, and you weren't even--they didn't even 
talk to you before they made this decision?
    Ms. Tavenner. I think the decision was made with IRS as a 
predominantly----
    Mr. Lankford. Mr. Chao, did they talk to you? Were you 
consulted before the White House decided to do this?
    Mr. Chao. No.
    Mr. Jordan. Mr. Milholland, were you consulted?
    Mr. Milholland. No, sir.
    Mr. Jordan. You weren't consulted?
    Mr. Milholland. No, sir.
    Mr. Jordan. Mr. Werfel told us--told me about an hour ago 
you were the expert, and they didn't even call you?
    Mr. Milholland. I was not consulted.
    Mr. Jordan. Was Mr.--to your knowledge, was Mr. Werfel 
consulted?
    Mr. Milholland. I believe Mr. Werfel said he received 
notification on----
    Mr. Jordan. So none of the people who are going to be 
implementing this were even asked, is this the right move?
    Was Sarah Hall--to your knowledge, Mr. Milholland, was 
Sarah Hall Ingram consulted?
    Mr. Milholland. I do not know.
    Mr. Jordan. That's amazing to me.
    You know, Ms. Speier talked about folks who want to throw a 
train wreck into--or throw a--mixed metaphor--throw sands into 
the gears. I would just remind, it hasn't been Republicans 
who--and we have Mr. Baucus, one of the architects of the law, 
calling it a train wreck. We have the President suspending the 
law without consulting the people who have to actually make it 
work.
    Mr. Chao, you made a statement back in March that you hoped 
the exchanges wouldn't be a, quote, ``third-world experience.'' 
So you obviously had some knowledge and some concerns to prompt 
that statement. Are those concerns still relevant, still valid?
    Mr. Chao. I was speaking before an audience of issuers that 
I had spoken to before, and it was a poor attempt at humor. So 
I wouldn't necessarily----
    Mr. Jordan. I don't know that it was a poor attempt at 
humor. It may have been--you know, you may have been a 
visionary, you may have been a prophet.
    I mean, this is--the fact that they didn't even talk to you 
is what I think is amazing. You don't talk to the head of CMS, 
you don't talk to the head of the IRS, you don't talk to the 
person at the IRS who is actually in charge of the Affordable 
Care Act Office, you don't talk to the technical database 
expert, Mr. Milholland. You just decide one day you're going to 
waive part of the law.
    I mean, we had the previous Democrat talk about when 
Medicare was--I'd be your curious to know if the President at 
the time Medicare was implemented, if he asked for a delay in 
the law. Maybe he did, but I don't know about it.
    This is amazing.
    But let me ask you one specific question, Ms. Tavenner. In 
February of this year, HHS System of Records Notice includes 
the following statement: ``The Secretary''--you--``along with 
other appropriate agencies, will establish an appeals process 
for individuals and employers when eligibility is denied as a 
result of inconsistencies between information obtained from 
applicants and enrollees and employers and information and data 
verified through the exchange.''
    I have no idea what all that means; I hope you can tell me. 
Maybe you can define what ``inconsistencies'' are. Do you have 
a list of what those may be? You obviously anticipate problems 
because you're setting up an appeals process, so can you give 
me some insight into that?
    Ms. Tavenner. So the appeals process is required in the 
law, but I will remind you, there's also an appeals process 
today in Medicaid and CHIP and other programs, because 
sometimes----
    Mr. Jordan. I understand that. Do you have--but, I mean, 
specifically, what are you thinking about? Obviously, you think 
that it's going to happen. The law requires you have some kind 
of appeals process. That makes sense to me; we understand that. 
What are some of the anticipated inconsistencies?
    Ms. Tavenner. So I think perhaps people submit information 
and they get denied, and they believe their information was 
incorrect and they want to bring new information forward. But 
I'll be happy to get you a list.
    Mr. Jordan. So you don't know what the list is. You just 
use the term ``inconsistency'' because you anticipate there's 
going to be problems.
    Ms. Tavenner. No, we're----
    Mr. Jordan. You anticipate this, in fact, could be a train 
wreck. You anticipate, in fact, this could be a third-world 
experience.
    Ms. Tavenner. I do not anticipate that. And the--we are 
currently in rulemaking on the appeals process, and the final 
rule will be out shortly.
    Mr. Jordan. Do you think the--do you think everything could 
be up and running, working on October 1st, and the start of 
next year, this law can be fully implemented, working, you 
think it can all function the way it's supposed to, the way the 
folks who voted for it designed it to, do you think that can 
all happen?
    Ms. Tavenner. Yes, sir. You know, my background has been--
--
    Mr. Jordan. Okay. So if you think that can all work, you 
would think the administration would call you up and consult 
with you before they decided to say, ``You know what? We don't 
think it can, and we're going to delay part of it.'' That seems 
logical to me, doesn't it?
    Doesn't that seem logical to you, that you, the person in 
charge of it, would be called, would be consulted? Don't you 
think it makes sense for you to be consulted before a major 
decision, a major element of the law is simply waived for a 
year?
    Ms. Tavenner. The employer mandate rests within IRS----
    Mr. Jordan. That's not what I asked. Don't you think it 
makes sense for you, the head of CMS, charged with implementing 
this law, don't you think it makes sense for you to be 
consulted?
    Because if you don't, then that's scary, too. If you don't 
think, as the person who heads CMS, you should be consulted 
before a major decision to unilaterally just delay part of the 
law should take place, if you don't think you should be 
consulted, then I've got concerns on that side, as well.
    So do you think you should've been consulted?
    Ms. Tavenner. I think I've been consulted all along.
    Mr. Jordan. Well, no, that's not--you just told me--4 
minutes ago, you just told me you weren't consulted.
    Ms. Tavenner. I'm----
    Mr. Jordan. So which one is it? Because you have to tell us 
what really happened. You can't have it both ways. Were you 
consulted or weren't you consulted?
    Ms. Tavenner. I was not consulted. I'm just saying that----
    Mr. Jordan. Well, then----
    Ms. Tavenner. --in the last year----
    Mr. Jordan. Now, wait a minute. So, then, 10 seconds ago, 
you just said you were.
    Mr. Lankford. I'll ask the gentleman to let her answer.
    Ms. Tavenner. Please let me finish my sentence.
    Mr. Jordan. I want you to finish, and I just want you to 
finish it truthfully, because you've told me two different 
things.
    Ms. Tavenner. Well, I take objection to that, because I've 
told you the truth.
    Mr. Jordan. We can read the transcript.
    Mr. Lankford. I would ask the gentleman to let her finish 
answering.
    Ms. Tavenner. Thank you.
    So the last 3-1/2 years, I actually started----
    Mr. Jordan. I want you to answer one question. Were you 
consulted or not? And now I'll let you answer.
    Ms. Tavenner. I've said I was----
    Mr. Jordan. Were you consulted?
    Ms. Tavenner. --not consulted.
    Mr. Jordan. Okay. Thank you.
    Thank you, Mr. Chairman.
    Ms. Tavenner. And I guess I won't get to finish my----
    Mr. Lankford. No, go ahead. You can respond.
    Ms. Tavenner. For the last 3-1/2 years, I've worked at CMS. 
I started at the time that the rule--that the law was actually 
passed. And I have been an integral part of every decision 
that's made.
    In the case of the IRS and the employer mandate, I was not 
consulted.
    I do feel like I'm part of the process.
    Thank you.
    Mr. Lankford. And, by the way, we assumed you are part of 
the process. You have been an integral part of that. That's 
somewhat the surprise to us. We're trying to figure out where 
this came from. And it is a major shift in what's happening. 
And we assumed there was some conversation in trying to figure 
out the whys and the whats with it. And that clarification has 
not come. We've also written letters to the administration to 
try to get some clarification. So it's not just on you. It's a 
surprise, as well. We would assume that IRS and CMS would be 
consulted on this process and would be a part of the decision-
making.
    You all have had a very long day. I appreciate you being 
here. I hope you get a nice, relaxing lunch where it's quiet 
and to be able to get some time away on that.
    With that, this hearing is adjourned.
    [Whereupon, at 1:10 p.m., the subcommittees were 
adjourned.]



                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 
