The Internal Revenue Service needs to go to greater lengths to safeguard taxpayer information on health insurance exchanges, according to a new government report.

The report, from the Treasury Inspector General for Tax Administration, noted that the IRS is authorized to disclose limited tax information to the health insurance exchanges and marketplaces that were created under the Affordable Care Act when an applicant is seeking financial assistance to buy health coverage. To protect the confidentiality of federal tax information, the IRS has established safeguards that the exchanges are supposed to use.

While the IRS has provided staff members who facilitate the readiness of the exchanges to receive tax information, the report said additional procedures are needed to provide more assurance that the information will be protected before the IRS approves its release.

In the report, TIGTA reviewed whether the IRS Office of Safeguards has implemented sufficient policies and procedures to ensure that Affordable Care Act exchanges are adequately protecting federal tax information received from the IRS.

"The IRS must do more to ensure that federal tax information submitted to the ACA exchanges is protected and prevent its unauthorized disclosure," said TIGTA Inspector General J. Russell George in a statement.

TIGTA found that the IRS’s procedures did not require the exchanges or other agencies to submit an initial independent security assessment that could help to evaluate risk levels and the status of required security controls. The current documentation on which the Office of Safeguards bases its approval decision for release of the information does not provide enough evidence that the required controls have been implemented.

TIGTA recommended that the IRS ensure that the Office of Safeguards receive and review independent assessments of security controls and system authorizations before approving the release of federal tax information. In addition, the Office of Safeguards should prioritize reviews of agencies that have deployed new systems according to risk.

IRS management agreed with TIGTA’s recommendations and plans to take appropriate actions. “The IRS takes data security very seriously and the Office of Safeguards has a key role to ensure that federal tax information (FTI) shared with our agency partners under Internal Revenue Code Section 6103 is properly protected at all times,” wrote Mary Howard, director of privacy, governmental liaison and disclosure at the IRS. She noted that the IRS coordinated with security staff at the Centers for Medicare and Medicaid Services and ensured that they incorporated IRS data protection standards in all privacy and security guidance issued to states.

In an email to Accounting Today, the IRS said it is taking “aggressive steps” to protect the information on the exchanges.

“The IRS has taken aggressive steps to ensure the protection of federal tax information shared with the Health Insurance Exchanges,” the IRS said in a statement Thursday. “The IRS emphasizes there have been no data breaches involving federal tax information shared with the Exchanges, and TIGTA did not find any specific or elevated risk to federal tax information maintained by the exchanges during the audit. The IRS has been working on this data-safeguarding effort with the exchanges for more than three years, including extensive coordination with security staff at the Centers for Medicare and Medicaid Services (CMS), our federal data exchange partner leading ACA implementation. The IRS also emphasizes the limited tax information is only released when the applicant is seeking financial assistance to obtain health coverage. Additionally, the IRS has a long and proven track record of safely and securely transmitting federal tax information through data sharing agreements to nearly 300 federal and state agencies on a regular basis. Historical results show extremely low incidence of data issues. It is important to note that in order to receive federal taxpayer information, if allowed by law, states and other agencies must take a number of critical steps. These steps include restricting access to the data, securely storing the information, training employees on protecting taxpayer information, routinely reporting on their information security efforts and engaging in regular onsite reviews by the IRS of their safeguards. Going forward, the IRS will remain vigilant in this area, and the TIGTA recommendations will help make our process even stronger.”

Register or login for access to this item and much more

All Employee Benefit Adviser content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access