After the media explosion surrounding the launch of HealthCare.gov in October 2013, the Government Accountability Office launched an investigation into what caused the errors. The report, requested by Congress, was released March 5.
The GAO found a pattern of poor practice enforcement and software coding errors that led to poor functionality on the website. Because of several major errors, the website was down for an estimated 60 percent of the time for a few weeks in October 2013, according to the report. For virtually every error, CMS has claimed it had insufficient time to complete the website by the October 2013 deadline.
The HHS concurred with all the findings of the report and has stated that it will make corrections to address the issues. CMS has also begun to take corrective action.
Here are 10 things to know from the report.
1. The website's marketplace operates through private-sector cloud services. The Federally Facilitated Marketplace system uses data processing and storage resources through private sector vendors over the Internet. This includes the personal information, financial qualifiers and plan management information an individual submits when applying for health insurance. The data is stored on a "private cloud" established for the website called the Data Services Hub that acted as a medium for sharing information between the FFM and CMS' external partners. In February, it was shown that third-party websites such as Google, Yahoo and Twitter had access to the information entered on HealthCare.gov.
2. CMS developed the website without effective planning or oversight. The agency incurred significant cost increases, schedule mistakes and delayed system functionality because of changing requirements for functionality and lack of communication. More federal agencies were supposed to have input on the development of the website, but CMS failed to report any uncertainties until after the launch.
3. The FFM contractor made major coding errors. An assessment ordered by CMS in September 2013 observed 45 critical and 324 serious coding flaws in the structure of the website. However, CMS did not take enough steps to correct the issue or penalize the contractor for making the mistakes. Of the $12.5 million paid in the contract, only $267,000 was withheld, less than 2 percent of the total contract fee.
4. There were major security flaws. The GAO identified flaws in the technical controls of the FFM protecting the confidentiality, integrity and availability of the system. CMS did not require strong password controls, adequately restrict Internet access, consistently implement software patches or properly configure an administrative network.
5. CMS was aware of the errors. The agency knew about the problems with the website before it was deployed but went ahead with the launch anyway to meet the October 2013 deadline. CMS has since addressed many of the problems, improving the function.
6. The website was launched without sufficient visitor capacity. CMS officials claimed they incorrectly estimated the number of expected visitors to the online exchange in 2014, leading them to plan for fewer people. The website was launched without sufficient visitor capacity, leading to errors.
7. The majority of the eligibility requirements were never approved by CMS. Of the 37 FFM eligibility and enrollment functional requirements the GAO examined, nine were approved before development, eight were approved after being sent to development and 20 were never approved by CMS. Additionally, of the 67 Data Storage Hub requirements examined by the GAO, none were approved by CMS. Officials claimed they were trying to develop the system in an expedited fashion to meet the deadline.
8. Supporting systems testing was patchy. Two months before the scheduled launch, integration tests with payers on the website had not been completed. End-to-end testing was never completed before the website launched. CMS also did not always ensure that system defects found during testing were corrected, leaving many errors active in the system.
9. Oversight was inadequate. Theoretically, the HHS, CMS and the OMB were supposed to oversee the project. However, CMS did not always ensure that project schedules were well-constructed, estimate accurate levels of effort for DSH and FFM functional requirements, implement data management and monitoring processes or conduct all recommended and required project progress and milestone reviews. CMS has since reevaluated the schedules for development. Frank Baitman, the CIO of HHS, also had limited input on the project and has stated that no one raised issues of HealthCare.gov's functionality at the monthly meetings.
10. The HHS will have more active involvement in the administration of the website. One of the executive action recommendations is for the Secretary of HHS to direct the CIO to document the approval process for functional and technical design requirements and implement CMS procedures to obtain signatures from three key stakeholders — the CMS business owner, the MS approval authority and the contractor organization — to ensure that they have a shared understanding of all the requirements.