The IRS must work harder to keep PHI protected, according to a report by the Treasury Inspector General for Tax Administration.
While the Internal Revenue Service (IRS) is authorized to disclose limited tax information to the HIEs and marketplaces created under the Affordable Care Act (ACA) when an applicant is seeking financial assistance for health coverage, a recent report said the agency must work harder to protect taxpayer information.
Moreover, to protect the confidentiality of the Federal Tax Information (FTI) disclosed to the HIEs the IRS created safeguards the HIEs must employ. However, the Treasury Inspector General for Tax Administration (TIGTA) said in its report that additional procedures are needed to further ensure that the information will be protected before the IRS approves its release.
“Specifically, IRS procedures did not require the Exchanges or other agencies to submit an initial independent security assessment report that could help to evaluate risk levels and the status of required security controls,” read the report. “The current documentation on which the Office of Safeguards bases its approval decision release of FTI does not provide sufficient evidence that required controls have been implemented.”
TIGTA recommended that the IRS ensure that its policy and procedures are revised so independent assessments of security controls and signed system security authorizations are received and reviewed by the Office of Safeguards before approving the release of FTI. Additionally, the TIGTA recommended that on-site reviews of agencies that have deployed new systems should be prioritized according to risk, while also being scheduled in a timely manner.
The IRS agreed to the TIGTA recommendations, according to the report. Additionally, the IRS said it plans to require agencies to submit an initial independent security assessment and signed system security authorization. The government agency explained that it will also create “procedures to use the independent security assessment to validate that controls are implemented as described by the agencies, evaluate risk prior to releasing FTI, and prioritize on-site reviews.”
In a statement to Accounting Today, the IRS said that it has been working on safeguarding the data with the exchanges for more than three years. This included extensive coordination with security staff at the Centers for Medicare and Medicaid Services (CMS) and its own federal data exchange partner leading ACA implementation.
“The IRS also emphasizes the limited tax information is only released when the applicant is seeking financial assistance to obtain health coverage,” the IRS said in its statement. “Additionally, the IRS has a long and proven track record of safely and securely transmitting federal tax information through data sharing agreements to nearly 300 federal and state agencies on a regular basis.”
Last year, the IRS was hit with a class-action lawsuit due to “an unlawful search and seizure” that took place on March 11, 2011. It was reported that “John Doe” was a HIPAA covered entity suing the IRS because it had taken more than 60,000,000 medical records of more than 10,000,000 Americans, including at least 1,000,000 Californians during a records search of a former company employee.
Republican leaders in the US House Committee on Energy and Commerce decided to investigate whether HIPAA’s privacy laws apply to the IRS and how it’s using the confiscated records.
The post Why Protecting PHI Must Be Top a Priority for the IRS appeared first on HealthITSecurity.com.