Audit of the Commonwealth Health Insurance Connector Authority Overview of Audited Entity

The Commonwealth Health Insurance Connector Authority (Connector) was established pursuant to Chapter 176Q of the Massachusetts General Laws, as added by Section 101 of Chapter 58 of the Acts of 2006, to provide affordable health insurance to the citizens of Massachusetts. People who do not meet the required income eligibility levels to participate in the Commonwealth’s Medicaid program (also known as MassHealth) are referred to the Connector, which was established to help them obtain affordable health insurance.

The Connector is an independent public entity not subject to the supervision and control of any other executive office, department, commission, board, bureau, agency, or political subdivision of the Commonwealth, except as specifically provided in general or special law.

According to its website, the Connector’s mission is to “advance access to high-quality health care by serving as a transparent and transformative marketplace for Massachusetts residents and small businesses to come together and easily find, compare, and enroll in affordable health insurance.”

The Connector is governed by an 11-member board that includes the chair, who is the Secretary of the Executive Office of Health and Human Services; the Secretary of the Executive Office for Administration and Finance; the Commissioner of Insurance; the Executive Director of the Group Insurance Commission; four members appointed by the Governor; and three members appointed by the Attorney General.

The Connector’s central office is located at 100 City Hall Plaza in Boston and has walk-in locations in Boston, Springfield, and Worcester. As of June 30, 2023, the Connector had 79 employees.

The Connector is not funded by any line items (or appropriations) in the Commonwealth’s annual budget. It receives funding from the following two sources:

• the Commonwealth Care Trust Fund, which was established in accordance with Section 2OOO of Chapter 29 of the General Laws, which states, “Amounts credited to the fund shall be expended without further appropriation for programs administered by the commonwealth health insurance connector authority pursuant to chapter 176Q [of the General Laws] that are designed to increase health coverage for residents of the Commonwealth,” and
• Section 12(a) of Chapter 176Q of the General Laws, which states, “The connector may apply a surcharge to all health benefit plans or stand-alone vision or stand-alone dental plans which shall be used only to pay for administrative and operational expenses of the connector.”

Individuals and families applying for health insurance through the Connector can do so via the Health Connector online portal, on a paper application in person, over the telephone, or with an assister.¹ The applicant’s household information—which includes the applicant’s name, Social Security number, date of birth, household income, place of residence, family size, projected yearly income(s) of working household members, proof of Massachusetts residency, and whether any household members currently have health insurance—is entered into the Connector’s database and used to make an eligibility determination.

The Connector verifies an applicant’s reported income with the US Internal Revenue Service and the Massachusetts Department of Revenue. The Connector verifies an applicant’s residency using an online research tool called LexisNexis. Other information, such as immigration status and access to other health coverage like Medicare, is verified using the Federal Data Services Hub (which involves the US Social Security Administration, the US Department of Homeland Security, and Medicare/Medicaid). If discrepancies exist between an applicant’s attestation and the Connector data, the Connector sends the applicant a request for additional documentation to support their application.

The Connector follows regulations as found in Section 155 of Title 45 of the Code of Federal Regulations to determine whether an applicant is eligible to participate in the program and to verify information provided by applicants.

The table below shows a distinct count of all enrolled Connector participants across the state during the audit period.

1. *    Other represents people who did not provide a ZIP code.

Anyone can request assistance from the Connector by telephone, email, or mail or in person. A request comes in one of the following two ways:

• A request is routed through Accenture, a third party that handles initial customer relations for the Connector related to member-facing billing, enrollment, eligibility, and more.
• A request is made by a member who makes an allegation related to fraud, privacy breach, discrimination, or language rights issues, using four dedicated email inboxes and phone lines.

If an issue that Accenture received requires escalation, it is forwarded to the Connector Ombuds Team,² which conducts additional research and issue resolution. The total number of issues referred to Connector Ombuds Team during the audit period was 2,309.

Any issue that Accenture or the Connector Ombuds Team believes is related to fraud, privacy breach, discrimination, or language rights issues is forwarded to the compliance manager and/or the privacy officer. Complaints that rise to the level of an actual case related to fraud, privacy breach, discrimination, or language rights violations will be tracked in the Ombuds or the Connector’s privacy and security incident logs until completion. The privacy and security log contains a description of the complaint, the name of the individual making the complaint, the severity of the complaint (critical, moderate, or minor),³ the number of people affected, and steps taken to manage and respond to the complaint. The compliance manager then sends remediation steps to the privacy officer for review and approval. In conjunction with the compliance manager, the privacy officer ensures that the applicable laws, regulations, and Connector policies and procedures are followed to remediate the complaints in an appropriate manner.

The Connector legal team stated that no issues received during the audit period rose to the level of an actual case related to fraud, privacy breach, discrimination, or language rights violation.

The Executive Office of Technology Services and Security (EOTSS) has established policies and procedures that apply to all Commonwealth agencies within the executive branch. These policies and procedures require executive branch agencies to implement internal procedures that ensure that their employees comply with the requirements in EOTSS’s aforementioned policies and procedures. EOTSS recommends, but does not require, non-executive branch agencies to follow its policies and procedures. Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010 states,

The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets. Commonwealth Offices and Agencies must ensure that all personnel are trained on all relevant rules and regulations for cybersecurity.

To ensure that employees in all Commonwealth agencies within the executive branch are clear on their responsibilities, EOTSS’s policies and procedures require that all newly hired employees⁴ must complete an initial cybersecurity awareness training course within 30 days of their orientation, and that all existing employees⁵ complete an annual refresher cybersecurity awareness course. However, Connector policy requires that all newly hired employees complete cybersecurity awareness training before being given access to the data. The Connector’s Human Resources Department issues a System Access Request to the authority’s Information Technology Department to inform it when a newly hired employee has completed the training.