Henry Chao says he was not involved in any briefings on the report. | M.Scott Mahaskey/POLITICO Chao: Up to 40% of ACA work left

A key player in the Obamacare website’s creation acknowledged Tuesday that up to 40 percent of IT systems supporting the exchange still need to be built.

The revelation from Deputy Chief Information Officer Henry Chao of the Centers for Medicare & Medicaid Services occurs as the administration works at its Nov. 30 deadline to shore up the website.


“It’s not that it’s not working,” Chao told lawmakers at an Energy and Commerce Oversight and Investigations subcommittee hearing. “It’s still being developed and tested.”

( PHOTOS: Obamacare online glitches: 25 great quotes)

Financial management tools remain unfinished, he said, particularly the process that will deliver payments to insurers.

A Health and Human Services source said the health plans can receive the payments consumers make when they enroll. The system isn’t yet ready to deliver federal subsidies to insurers.

The update hits hardest at Democrats, who hoped the system would function smoothly by the end of the month.

It also concerned insurers, who expressed worries Tuesday with Chao’s disclosure. Many of the back-end systems were meant to come online in December, so the agency hasn’t missed those deadlines yet. But the extent of the problems with HealthCare.gov are fueling doubts that the systems will be ready when they’re needed.

( Also on POLITICO: Report warned of website flaws)

The functions need to operate correctly so insurers can enroll the right people in the right plans. That process, called reconciliation, has to work so people can get the care they seek starting as early as Jan. 1.

“There’s not a lot of confidence that the reconciliation process is going to be up and running in time, and given all the challenges that we’re facing with the enrollment files, that’s a big cause of concern,” an insurance industry source said. “If people are enrolling, but the back-end systems are not working, their coverage could ultimately be disrupted. They may think they’re enrolled in a plan and they’re not. They may show up at the doctor’s office and not be covered.”

Chao said Tuesday that the consumer portion of the website, including account registration, plan shopping and enrollment functions, won’t be affected by the ongoing development effort, but that “back office” functions, including accounting and payment systems, were not yet complete. He called the figure “just an approximation.”

This issue could resurface Wednesday when CMS’s Center for Consumer Information and Insurance Oversight Director Gary Cohen testifies before the Senate Small Business and Entrepreneurship Committee.

The tech leader also told lawmakers he didn’t see a spring report that warned of potential stumbles and foreshadowed many of the problems that thwarted the website’s launch.

“I was aware some document was being prepared,” he said, but had no knowledge of a report until it was leaked to The Washington Post and obtained by POLITICO.

( IN 90 SECONDS: Obamacare puts Democrats’ credibility on the line)

Chao told the oversight subcommittee that he may have answered questions for the study but was not involved in any briefings on it.

The report, which independent consulting firm McKinsey conducted for CMS, described a process that relied too heavily on outsider contractors, didn’t provide enough time for complete testing and failed to hand authority to one decision maker. Chao’s limited knowledge of the report feeds lawmaker frustrations with the site’s fractured management and unclear controls.

The study did not include options for a delayed deadline. CMS officials say the agency took steps to address the issues.

These tidbits came out just before the oversight subcommittee’s hearing on site security. Republicans have jumped on safety concerns, partly to highlight flaws in the website’s development and demand its shutdown. Democrats have tried to play down fears, although both parties express unease about a system that did not undergo complete testing before launch.

But on Tuesday, accusations focused more on the March memo.

Democrats slammed their Republican counterparts for receiving documents and failing to share them.

“This is clearly a violation of the committee,” said Rep John Dingell (D-Mich.).

Republican staff did not provide information to Democratic staff until four days after it was received, according to a letter circulated during the hearing from oversight ranking member Diana DeGette (D-Colo.), Energy and Commerce ranking member Henry Waxman (D-Calif.) and Dingell to subcommittee Chairman Tim Murphy (R-Pa.). And when Republicans finally passed along information, less than 24 hours before Tuesday’s hearing, Democrats say staff received only some of the materials. Other parts appear to have gone to the press, they said.

When the leaders got to safety, they offered contrasting views.

Murphy said the website currently “screams to those trying to break into the system, ‘If you like my health care info, you can steal it.’”

DeGette warned that the hearing could “create more smoke if there is no fire.” She reminded the committee that CMS has complied with every security law and created procedures to handle risks.

But the new details don’t help.

“What this report talks about is chaos at CMS,” Rep. Steve Scalise (R-La.) said. “Nobody is in charge.”

Security experts have pointed to potential cracks in the site, including initial glitches in the password reset process that could have enabled hackers to steal personal information.

Chao assured consumers their information is safe. The federal data hub, which verifies eligibility for the exchange, does not store information. The website currently features a dedicated security team to monitor progress, undergoes weekly performance testing and receives daily scans. “We’ve gone over and above” to ensure safety, Chao said.

He insisted CMS followed the laws that govern privacy and federal information security. And contractors that worked on the site’s safety aspects on Tuesday defended their role.

Security — whether for political reasons or legitimate concerns — is a popular topic in Congress these days. The House Science, Space and Technology Committee called a hearing Tuesday on the same issue, at the same time. The committee brought in outside experts and focused on possible flaws in the system. The House Homeland Security Committee held its safety hearing last week and focused on the Department of Homeland Security’s limited role in the website’s development.

Contractors at the oversight hearing distanced themselves from any responsibility for overall security.

MITRE, a federally funded nonprofit, handled the security assessments on various parts of the site. But it refused to wade into safety concerns.

“We have no view on the overall ‘safety’ or security status of HealthCare.gov,” said Jason Providakes, senior vice president and general manager at MITRE’s Center for Connected Government.

He also emphasized that the organization, while responsible for six security control assessments directly on HealthCare.gov, does not have authority over the site’s security. Providakes said MITRE was not asked to perform end-to-end security testing and did not offer a suggestion on whether the administration should move ahead with the launch.

MITRE tested only “specific parts of HealthCare.gov within specific parameters established by CMS,” he said, working alongside a CMS-designated contractor to address concerns, “and in almost all cases we succeeded.”

Providakes, unlike Chao, said he was familiar with the McKinsey report.

Creative Computing Solutions and its subcontractor, Foreground Security, dealt with safety for the virtual data center that hosts systems or applications — also known as the eCloud. The pair monitors perimeter firewalls and network devices on the cloud. The committee invited Verizon Terremark, which managed infrastructure for the federal data hub, but the company declined.

CCSI also backed away from any involvement. “Activities involving the development, scaling, testing, release or administration” of the federal exchange “are not within the scope of our contract,” said Maggie Bauer, CCSI’s senior vice president.

David Amsler, president of Foreground Security, also made clear that the company had a narrow agenda and “did not monitor the site for performance purposes.”

Brett Norman contributed to this report.