Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Observations Noted During the OIG Review of CMS's Implementation of the Health Insurance Exchange-Data Services Hub

This memorandum report provides the results of our review of the Centers for Medicare & Medicaid Services' (CMS) implementation of the Data Services Hub (Hub), which is intended to support Health insurance exchanges, from a security perspective. To determine the status of the implementation of the Hub, we assessed the information technology security controls that CMS is implementing for the Hub, adequacy of the testing activities being performed during its development, and the coordination between CMS and Federal and State agencies during the development of the Hub.

CMS is addressing and testing security controls of the Hub during the development process. CMS is working with very tight deadlines to ensure that security measures for the Hub are assessed, tested, and implemented by the expected initial open enrollment date for health insurance exchanges of October 1, 2013. If there are additional delays in completing the security assessment and testing, CMS may have limited information on the security risks and controls before the exchanges open.

Health insurance exchanges are State-based competitive marketplaces where individuals and small businesses will be able to purchase private health insurance. The Hub will help facilitate the access of data by exchanges; enable verification of coverage eligibility; provide a central point for the Internal Revenue Service when it asks for coverage information; provide data for oversight of the exchanges; provide data for paying insurers; and provide data for use in Web portals for consumers.

CMS stated that it is confident that the Hub will be operationally secure before October 1, 2013.