State Obamacare exchanges illegally allowed to skip security assessment

The Department of Health and Human Service’s Center for Medicare & Medicaid Services allowed state Obamacare exchanges to launch at the beginning of October without having an independent security assessment completed, as required by OMB guidelines and federal law.

A recently discovered document published by the Center for Medicare & Medicaid Services (CMS), raises serious questions about the security and privacy of the state health insurance exchanges and further highlights the extent to which the Obama Administration skirted federal standards in order to launch the exchanges by October 1.

The document, which contains a list of “Frequently Asked Questions” related to the privacy and security assessment process for the exchanges, was discovered via a status report [pdf] published by the Nebraska Department of Insurance.

The status report included a link to a CMS-hosted webinar, which occurred on September 13. While only a portion of the webinar presentation was viewable as of this writing, it provides some insight into the directives CMS was providing to key stakeholders related to the security and privacy of the exchanges only weeks before launch.

Here is the viewable portion of the presentation in it’s entirety:

The document makes clear that all exchanges were required to obtain an independent assessment of their systems to ensure they met the “Minimum Acceptable Risk Standards” as earlier defined by CMS.