After three years of software development costing over $300 million, the ACA web pages do not support health insurance enrollment. ACA applications are incomplete seven weeks (to date) after it was declared as ready for full operational deployment.
The following are observations about faulty program management practices:
Insight: Component and system integration testing should be performed continually throughout the entire software development process. In case of large software projects sub-systems and application functional testing should be done daily.
What we found: ACA is a three-year, >500,000 million lines of code application. It was not tested until a few days before the program was launched as operational software. (http://www.nytimes.com/2013/10/25/us/politics/bipartisan-dismay-over-health-plan-woes-at-house-hearing.html?pagewanted=2&ref=cgigroupinc&pagewanted=print&_r=0). Postponing functional testing for the entire program to the end of a project invites the proliferation of coding and logic errors that will be difficult to correct.
Identity ManagementInsight: An application that must serve a wide range of customers must insist on an error-proof uniqueness of network clients. The authentication of the integrity of customers must be seen as a part of the primary quality control responsibilities.
What we found: In the case of ACA identity management, including the management of password records, was delegated to the Quality Software Services, a subcontractor that is not in a position to independently authenticate insurance applicants from the general public. For instance, ACA now depends on validation of an individual’s identity from the Internal Revenue Service database, which is not reliable. For instance, the IRS continues to issue fraudulent tax refunds. In 2011 1.1 million tax refunds were issued using bogus Social Security Numbers. In these cases IRS confirmed identity theft instances (http://www.treasury.gov/tigta/auditreports/2013reports/201340122fr.pdf). Meanwhile the on-line ACA sign-up and identity verification process is only partially complete, which makes it open to theft or misuse of social security numbers.
Insight: A shared data dictionary for a transaction based network participant is mandatory to assure uninterrupted communications. Rapid response time is required when a web site must process a sharp peak in the volume of transactions.
What we found: ACA depends on a multiplicity of databases to function. This includes an estimated 170 insurance carriers as well as 47 contractors to be continually verified for interoperability (http://www.cnn.com/2013/10/24/politics/congress-obamacare-website/). Access to Federal and State Medicare, Medicaid files must be also assured, though most States are still in the process of installing on-line capabilities.
Insight: When an application depends on data obtained from another functional area, great care must be exercised to define the reliability and the security of the received information.
What we found: The Government Accountability Office (GAO) has designated Medicare and Medicaid as high-risk programs vulnerable to fraud. ACA depends on these programs since the health benefits, insurance and subsidy programs will affect all payments to individuals. The Department of Health and Human Services (HHS) has obligated approximately $583.6 million to fund Health Care Fraud and Abuse Control (HCFAC) program activities for five years (http://www.gao.gov/assets/660/658345.pdf). Such large funding is necessary because Medicare and Medicaid are particularly vulnerable to fraud. There are no indications that ACA has based its security for readiness to deal with potentially fraudulent inputs from other parts of HHS.
Insight: Attempts to make major change in the functional requirements in a multi-year program should be attempted only after a thorough analysis of all of the supporting applications components have been examined and only after sufficient time is allowed for large scale pilot testing.
What we found: Major changes of policies were made a few weeks prior to start-up in full operations. The logical sequence of the customer registration features was reversed, with far reaching consequences on the links between independent programs produced by different subcontractors. In addition, after the completion of software coding there were numerous changes in the specifications made by more than five policy-setting sources.
Keep Track of the Budget
Insight: Tight tracking of the budget is mandatory, such as monthly reviews of spending with the executive who is directly accountable for the total program cost. When the costs of any project approaches a quarter the total projected commitment must be also reviewed. When the forecast estimate to complete exceeds the target budget, a third party audit is also in order.
What we found: In the case of ACA $292 million was spent on building Healthcare.gov, nearly three times the amount originally contracted to CGI Federal, integration contractor. (ey.usnews.com/money/blogs/my-money/2013/11/05/4-facts-about-the-first-month-of-obamacare--what-did-you-miss). Additional spending from other sources is also taking place, such a government award of $67 million for the hiring and training staff for help in signing up customers. There is also an unspecified large sum provided for funding an “outreach program” for uninsured people.