Healthcare.Gov's Hidden Problem

NEW YORK (MainStreet) — The hidden problem at Healthcare.gov, the Obama Administration's health care marketplace, has little to do with the Web site.

It's the old problem of identity.

Before being given any prices, users have to prove who they are. This is done so that subsidies can be calculated, as with this sample calculator at the Kaiser Foundation.

But the result is you can easily get lost in a Kafkaesque maze, as happened to my daughter when I tried to help her sign up for coverage – she turns 26 in February.

Pete Palmer, now chief security officer for MedAllies, a health care automation consultant, said identity is a huge problem for all of e-commerce. He has been working with a succession of groups, most recently the Kantara Initiative, on a "trust framework" aimed at simplifying the problem.

Based on the importance of getting identity right and the risk in getting it wrong, The National Institute of Standards and Technology (NIST) considers Healthcare.gov the equivalent of what Kantara calls a "Level 3" site. This is consistent with the rules under the Health Insurance Portability and Accounting Act (HIPAA), which has made you sign-off on any data you give to your doctor.

Level 3 requires that a government-issued ID, like a passport or state-issued driver's license, be shown and validated before a human being to prove identity.

That can't really be done online.

One way to get around this is by asking an applicant questions only they can answer. You'll see these "security questions" deployed by many banks, questions like where were you born, what was the name of your first pet and what your favorite car might be.

"That has to happen in real time, it has to match what is seen by the government," said Palmer. "Then there are a second set of questions that only the applicant should be able to answer."

In our case, my efforts to help my daughter sign up caused us to get some of those answers wrong. The only way forward, we were told by phone, was to actually mail a copy of her license and birth certificate, proving her identity but creating grave risks if the letter were lost.

All these identity management standards can be found in a NIST documentcreated in the wake of a Presidential Directive issued in 2004, Palmer said.

Joni Brennan, executive director of the Kantara Initiative, which works on private trust and identity frameworks, said many problems can be avoided by using a Security Assertion Markup Language, a standard format for handling authentication and authorization between identity providers, like a state license authority and a service provider like Healthcare.gov.

"The problems could have been avoided," she said. "This component of strongly proving identity before going through the door was a policy decision, and the technology made that happen. They wanted people to understand that they would be eligible for subsidies."

When people get insurance through their employers, the employer vouches for employees' identity, and their families are sent cards by insurance companies with a group number and an insured number. These act as "index terms" doctors can input into the insurance company database to handle billing.

Once someone is insured through Healthcare.gov, an insurance company can follow this same policy, delivering a simple paper card that can work for up to a year, so long as monthly premiums are paid.

The problem of identifying both patients and doctors has bedevilled the health care sector for decades, Palmer added, but help is now on the way through the "meaningful use" guidelines of the HITECH Act, passed as part of the 2009 Stimulus.

The first stage of the act, getting computers into clinics and hospitals, is now mostly complete. In the second stage, starting in January, health care providers need to start connecting to each other electronically, using a network called DirectTrust operating under identity standardslike those Kantara has called for.

The final stage of HITECH, which should start in 2016, will have doctors and other providers communicating directly to patients, using the DirectTrust network and its identity framework. Finally, you'll be able to e-mail your doctor, and your doctor will be able to e-mail you.

There are several moving parts to this, Palmer concluded. Some are public, like the Real ID standards now used for a driver's license in some states, while others are private, like the Kantara Initiative. Getting them to work together is a long-term process, not something you can switch on like a light bulb.

Or like the government tried to switch on Healthcare.gov.

--Written by Dana Blankenhorn for MainStreet

Show Comments

Back to Top