In an audit report released on October 23, 2014, the Treasury Inspector General for Tax Administration (TIGTA) has found that the IRS should revise its procedures to better ensure protection of federal tax information scheduled to be released to the health care exchanges under the Patient Protection and Affordable Care Act (P.L. 111-148) (the exchanges use this information to determine eligibility for financial assistance). TIGTA acknowledged the IRS’s work to date on creating safeguards for federal tax information – the IRS had dedicated staff to facilitate the readiness of the exchanges by the October 1, 2013, deadline for coverage enrollment and the IRS Office of Safeguards’ on-site testing procedures were generally adequate.
Nevertheless, TIGTA found that the current IRS procedures did not require the health care exchanges or other agencies to submit an initial independent security assessment report that could help the IRS evaluate risk levels and the status of required security controls. The current documentation on which the Office of Safeguards bases its approval decision for release of federal tax information does not provide sufficient evidence that required controls have been implemented, TIGTA reported. TIGTA also found deficiencies in procedures related to obtaining signed system security authorizations and ensuring that on-site reviews of agencies that have deployed new systems occur in a timely manner.
TIGTA recommended that the IRS revise the Office of Safeguards’ policy and procedures so that the Office receives and reviews independent assessments of security controls and signed system security authorizations before approving the release of federal tax information. TIGTA also urged the Office of Safeguards to prioritize the timely review of agencies that have deployed new systems, based on the level of risk involved.
The IRS’s response within the report was to agree with all TIGTA’s recommendations. In a separate statement released in connection with the TIGTA report, the IRS highlighted its diligence thus far in safeguarding federal tax information. “The IRS emphasizes there have been no data breaches involving federal tax information shared with the Exchanges, and TIGTA did not find any specific or elevated risk to federal tax information maintained by the exchanges during the audit,” the IRS wrote. “Going forward, the IRS will remain vigilant in this area, and the TIGTA recommendations will help make our process even stronger.”
When asked about the Treasury Department’s role in making sure the calculator is correctly certifying plans with full benefits, a Treasury spokesman also had nothing to report. “Treasury declines to comment,” the spokesperson said.
Holloway said HHS and Treasury officials are “clamming up” because politics and finger-pointing have become part of the problem. “I wouldn’t be surprised if HHS kind of came up with the calculator on its own and Treasury is a little teed off that they were not included with developing this thing,” he speculated. “And now there’s probably finger-pointing as far as who develop this thing and now it’s getting bad press.” HHS will most likely replace the calculator and post it back online with an explanation or announcement of changes, he said. “There are a whole bunch of employers who have relied on this thing for their plan designs for 2015. Hopefully, whatever they come up with will be some kind of relief for people who used the current version of the calculator,” he added.