Nearly two months after Health and Human Services (HHS) Secretary Kathleen Sebelius announced that her agency would create a new Chief Risk Officer (CRO) position to prevent a repeat of the Healthcare.gov debacle, the position is apparently still unfilled. HHS, however, has continued to solicit and award the very information technology (IT) contracts that the new CRO was intended to oversee.
On December 11, 2013, Sebelius announced a directive to Centers for Medicare and Medicaid Services (CMS) administrator Marilyn Tavenner to create the Chief Risk Officer position and appoint someone to fill the role. However, CMS has been silent about the position so far, and the CMS organizational chart still does not include a CRO. Although Sebelius set no deadline for creating or filling the position, the secretary implied urgency by saying that the new CRO would be required to report back in 60 days with recommendations.
When Sebelius announced her intent to create the CRO position, she made the following statement:
The Chief Risk Officer’s first assignment will be to review risk management practices when it comes to IT acquisition and contracting, starting with identifying the risk factors that impeded the successful launch of the HealthCare.gov website. I will ask this individual to report back to me in 60 days with recommendations for strategies to mitigate risks in future large-scale, CMS contracting and IT [information technology] acquisition projects.
Despite the fact the the CRO position is unfilled and possibly still undefined, CMS has continued to solicit and award IT contracts. On December 24, CMS awarded a $3.6 million contract for "Operations, Maintenance, and Data Conversion of the Waiver Management System and Medicaid Model Data Lab."
Earlier, just two days after Sebelius's announcement, CMS posted a notice that the agency was seeking sources for a major "Enterprise System Development" contract that is "required to support critical Medicare, Medicaid and Affordable Care Act (ACA) Federal Healthcare Marketplace business functions," and that the contract "encompasses the full range of mission support capabilities that are needed by CMS... to operate, maintain, and modernize CMS' systems with a priority on enterprise approaches."
Additionally, in early January CMS revealed that the major Healthcare.gov contractor, CGI Federal, would be replaced by Accenture just one month before the end of the current Obamacare open enrollment period.
Total contracting activity by CMS, information technology-related and otherwise, has actually picked up considerably since Sebelius's announcement. In all, 22 contracts awards, solicitations, or sources-sought notices have been posted by CMS since December 11 compared to 9 in the 60 days preceding the announcement.
In addition to the new CRO position, there were two other steps announced by Sebelius in December. One was a request to the inspector general of HHS to conduct a thorough review of the contracting and management process that led to the Healthcare.gov debacle. Since inspector general cases often take months to plan and execute and the IG does not comment on ongoing investigations, there is no information available yet on that review's status.
The other step involved improving "CMS employee training on best practices for contractor and procurement management, rules and procedures." Although it is unclear how much training, if any, has taken place since December 11, CMS went ahead with its 2014 Contracting with CMS Conference on January 31 as reported by THE WEEKLY STANDARD in December. Among the topics were "The Good, The Bad, & The Ugly of Contract Proposals" and "Why Past Performance is Important."
Neither CMS or HHS has responded to an inquiry about the status of the CRO position.