CIOs at federal government agencies--including the U.S. Department of Health & Human Services and Department of Veterans Affairs--don't have enough authority, particularly when it comes to spending, according to a recently published report by the Government Accountability Office.
"The high level-survey responses regarding CIO authority at agencies indicate that several CIOs still do not exercise the authority needed to review and approve the entire IT portfolio, consistent with [Office of Management and Budget] guidance," the report states. "Although OMB has issued guidance and required agencies to report on actions taken to implement it, this has not been sufficient to ensure that agency [chief operating officers] address the issue of CIO authority at their respective agencies."
The report adds that such insufficient guidance hinders the ability of agencies to address various responsibilities.
At HHS, the report states, despite a formal memo in place that outlines the CIO's authority, the CIO has "limited influence and ability to recommend changes" to the overall IT portfolio.
The report comes on the heels of the much maligned rollout of HealthCare.gov as part of the Affordable Care Act, which was overseen by the Centers for Medicare & Medicaid Services. CMS CIO Tony Trenkle, who was one of several officials in charge of the project, announced last week that he was resigning, effective Nov. 15, to take a job in the private sector.
Meanwhile, CMS Deputy CIO Henry Chao, The Hill reports, was kept in the dark about HealthCare.gov's potential security issues. Chao recently testified to the House Oversight Committee that he had not been included on a memo about such flaws, although he was involved in development of safeguards for protecting patient privacy for the data hub that data hub that connects state health insurance exchanges created under the Affordable Care Act with federal agencies.
"I'm surprised," Chao said in his testimony. "And I probably--with that knowledge, I would have at least acknowledged what those findings were in the risk assessment." Chao added, however, that lines of communications between agencies involved in the rollout and contractors charged with working on the site may not have been working appropriately.