Skip Navigation
United States Flag

An official website of the United States government. Here's how you know >

A New Look for HHS-OIG. Learn More >>

U.S. Flag An official website of the United States government.
Change Font Size

Audit (A-18-13-30070)

Observations Noted During the OIG Review of CMS's Implementation of the Health Insurance Exchange-Data Services Hub

Complete Report

Download the complete report

Adobe® Acrobat® is required to read PDF files.


This memorandum report provides the results of our review of the Centers for Medicare & Medicaid Services' (CMS) implementation of the Data Services Hub (Hub), which is intended to support Health insurance exchanges, from a security perspective. To determine the status of the implementation of the Hub, we assessed the information technology security controls that CMS is implementing for the Hub, adequacy of the testing activities being performed during its development, and the coordination between CMS and Federal and State agencies during the development of the Hub.

CMS is addressing and testing security controls of the Hub during the development process. CMS is working with very tight deadlines to ensure that security measures for the Hub are assessed, tested, and implemented by the expected initial open enrollment date for health insurance exchanges of October 1, 2013. If there are additional delays in completing the security assessment and testing, CMS may have limited information on the security risks and controls before the exchanges open.

Health insurance exchanges are State-based competitive marketplaces where individuals and small businesses will be able to purchase private health insurance. The Hub will help facilitate the access of data by exchanges; enable verification of coverage eligibility; provide a central point for the Internal Revenue Service when it asks for coverage information; provide data for oversight of the exchanges; provide data for paying insurers; and provide data for use in Web portals for consumers.

CMS stated that it is confident that the Hub will be operationally secure before October 1, 2013.

Copies can also be obtained by contacting the Office of Public Affairs at

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201