CMS transforms the American healthcare system. Okta secures and streamlines identity.

New government policies require new digital tools

In 2015, the U.S. Congress passed the Medicare Access and CHIP Reauthorization Act (MACRA), mandating a transformative shift to a value-based healthcare payment model and away from traditional fee-for-service provider payments. The object was to incentivize and support doctors who demonstrably deliver quality care, so as to improve the quality of U.S. healthcare in general.

To support that shift, the Centers for Medicare and Medicaid Services (CMS) needed to build an online tool that healthcare providers could use to submit information about their services. Using that information, CMS would provide payment adjustments to providers based on the quality and outcomes of care.

CMS already had success collaborating with the U.S. Digital Service (USDS), a federal technology startup at The White House born in 2014 when President Barack Obama put out a call for tech industry experts to come to the aid of Healthcare.gov. That website’s technical problems threatened to derail the Affordable Care Act (ACA), which fell under the auspices of CMS. Since then, USDS technologists and UX designers had worked with CMS to modernize Healthcare.gov and make sure annual insurance enrollment periods progressed smoothly.

“We’re a team of technologists and designers and healthcare policy experts who truly believe that the future of healthcare should be focused on empowering doctors and patients,” says Crystal Yan, product and UX consultant at USDS.

At the root of sticky bureaucracy: Sticky identity challenges

The new MACRA tool, dubbed the Quality Payment Program (QPP), was a chance for CMS and USDS developers to build something from scratch using the modern IT principles they’d been working with since 2013. “What if we started at the beginning?” says David Koh, USDS engineer. “Could we do something that was transformative, that could bring modern technology into government in a way that had never been done before?”

QPP replaced three other government programs, each with its own website and legacy identity management system—built mostly in-house on old technology, using cumbersome processes. Providers had to create accounts in three different systems and keep track of those logins and passwords. The complicated account creation process created huge barriers.

“We wanted it to be easy for people to create an account,” says Koh. “We also wanted people to be able to use the accounts they had already created.”

Security and identity management were not a core strength for CMS developers—healthcare management was. The USDS team recommended they identify an identity management partner who could unify all three websites and bring the latest identity technology and skills to the QPP project.

Privacy was also paramount. When considering a new identity and access management solution, the team wanted it to integrate seamlessly with their new, modern technology stack, but it also needed to be completely secure. Two-factor authentication was essential to ensuring that sensitive, HIPAA-regulated patient information would be protected.

Reliability was also critical. “QPP is a little like doing your taxes,” says Koh. “There’s a window when doctors can apply for the whole year, and the payments they receive are based on what they submit. If the system goes down in the last week or the last day of that window, things get chaotic.”

Designing a human-centered submission process

While identity issues were a complex but fairly straightforward hurdle, the CMS team recognized another, even more challenging issue facing QPP: gathering accurate data from providers.

“Value-based payment is a great model in theory,” says Koh. In practice, it has one big problem: The doctors who are laser-focused on patient care aren’t likely to be the ones spending a lot of time sitting at a computer gathering and aggregating data and jumping through any hoops required to submit it. “If it’s burdensome for providers to submit this information, then the whole theory of improving the U.S. healthcare system and saving lives doesn’t work.”

Rather than jumping in and immediately consolidating three websites, the team took a step back to try to understand the needs of the people who would be submitting QPP information. “We heard from some clinicians that they would spend twice as much time meeting the Medicare compliance burden as they would spend actually treating Medicare patients,” says Koh.

The USDS team at CMS was charged with finding ways to address that problem. “Our role at USDS is to bring human-centered design into government,” Yan says. “As a designer, every decision you make has to be done with intention. There’s a lot of work that goes into making sure users have an experience that feels easy and intuitive. A lot of that work is as simple as sitting down with someone and interviewing them, to better understand what a day in their life is like, what challenges they face in their role, and then figuring out what those pain points are, and how to transform them into opportunities.”

A team comprised of USDS designers, career public servants and contractors conducted extensive user research. As a result, CMS identified a large sector of the healthcare industry that they could ally themselves with. Clinical data registries, such as the Alzheimer’s Prevention Registry or national and state cancer registries, are charged with recording information about patient health and healthcare. Typically, they focus on specific diseases, procedures, or devices, to try to understand and improve the quality and safety of care.

“They’ve already spent time and effort thinking about innovative ways to set it up so that, instead of having to gather and record all this information separately, and making providers fill out all this paperwork, it can be built into how doctors and hospitals work,” says Koh.

At that point, the team decided to take an API-first approach. “Before building out this nice user interface, we would build a clean, well-documented API that would be easy to access through an API token,” says Koh. “We would give access to these registries that are building and innovating new ways of gathering and reporting healthcare information that we may not have thought of, or that we couldn’t have thought of.”

Connecting layers of access, securely

The API approach added another layer to the identity challenge. All of those data registry partners would need to connect to the QPP API seamlessly and securely. The team began looking at Okta, as the leader in the identity space, to serve as the data gatekeeper for partners, providers, and CMS employees.

“Okta had an easy-to-work-with API that we could plug into,” says Koh. Developer documentation for Okta APIs is a particular strong point, he says. “It’s made our lives much easier and allowed us to develop a much better product.”

Okta APIs fit with the modern infrastructure that CMS was building, as well. Okta offers HIPAA-compliant infrastructure, a requirement to meet the scale, reliability, and regulatory requirements of a large public-sector organization.

“We could see that it would eventually make a good enterprise solution for CMS,” says Koh. CMS administers hundreds of programs, in addition to QPP. With an Okta choice, the team would be setting a standard for how CMS would manage identity across its programs as it moved into the future.

Okta also offered its easy-to-use Multi-Factor Authentication product. “It was similar to what many of our users would have been used to on other services, like their email or their bank,” says Koh. The extra layer of protection would be critical for meeting HIPAA standards and protecting patient information.

Finally, the team was impressed with Okta’s administrator console and different administrator roles. When users called in with login issues, Okta allowed help desk admins to easily access just the right level of detail on user accounts. “Okta was able to give a good experience to that person at the service desk, so that they could give a good experience to our end user,” says Koh.

“One less thing to worry about.”

Today, QPP operates from a website that unifies the three original programs into a single experience. “The login experience was one of the first things we rolled out for QPP,” says Koh. “It had been such a big pain point for users in the past.”

Okta API Access Management allows CMS developers to focus on creating a streamlined QPP experience while Okta controls access to the website and API. While the team had to debug a few issues with the QPP system, having to do with how information gets imported or with service desk processes, “we didn’t have issues with Okta itself,” says Koh. “Okta was able to log people in and out easily. It was nice to have one less thing to worry about.”

The Okta Identity Cloud allows CMS to transform the user experience for healthcare providers, with a cloud-based architecture that easily accommodates millions of users, scaling up automatically during peak periods. In 2017, Okta received Moderate certification in the Federal Risk and Authorization Management Program (FedRAMP), further proving its commitment to keeping public-sector systems safe and secure.

Going forward, Okta will help modernize CMS’ backend systems and make its infrastructure more agile as the agency’s constituents continue to increase in number and frequency of authentications.

An API with monumental impact

Building QPP was a huge challenge, and the team is proud of the results. “To be honest, 94% of federal IT projects don’t deliver on time, or they’re over budget, or both,” says Koh. “We wanted to be in that six percent, on time and under budget, and we succeeded in that.”

Koh recounts the story of one user who called the help desk to say, “You know what, I’m worried. I don’t think I did this right.” When the CMS staffer asked what the problem was, she said, “Well, it looks like I’m done already, but it was just too fast. It’s never been that easy before.” Of course, it turned out she was just accustomed to all the obstacles of the old system.

CMS developers say the new API is “a quantum leap forward” from what they’ve been exposed to in the past—basically “not a very well documented file format without any validation, without a clear mechanism for authentication,” Koh says. “We gave them a clean API with clean developer tools, and not only do we have qualitative information—we have quantitative information.”

“Identity was one of the biggest hurdles we had to cross,” he says, “but we also wanted to provide a good experience to QPP users. Okta helped us achieve both those goals.”

“What really makes me proud about what we accomplished with QPP is being part of a movement to transform an entire industry,” says Yan. “In any system where you have an economic incentive at the heart of it, if you can make sure that the people who are benefitting from a service, that their interests are aligned with the people who are offering that service—that leads to better outcomes for everyone.”

About the Centers for Medicare and Medicaid Services

The Centers for Medicare and Medicaid Services is a federal agency within the United States Department of Health and Human Services. It administers the Medicare program and works with state governments to administer Medicaid, the Children’s Health Insurance Program (CHIP), and health insurance portability standards. CMS oversees Healthcare.gov, as well as quality standards relating to the Health Insurance Portability and Accountability Act (HIPAA), long-term care facilities, and clinical laboratories.