Some of the Patient Protection and Affordable Care Act (PPACA) exchanges may have obvious holes in the security measures they use to protect federal tax information and finding those holes may take the Internal Revenue Service (IRS) years.
Officials at the Treasury Inspector General for Tax Administration (TIGTA) — a watchdog agency that keeps tabs on the IRS — have published information about the steps the state-based exchanges are using to protect tax information in a new report.
The state-based exchanges are using the tax information to verify exchange users’ identities and to verify whether the users’ qualified for the new PPACA premium subsidies or PPACA cost-sharing reduction subsidies.
One thing the TIGTA officials have done is show just how much tax information the IRS is sending to the exchange system. The IRS sent about 23 million tax information reports during the first annual PPACA exchange open enrollment period, from October 2013 through March 2014. About 13 million of the reports went to the HealthCare.gov system at the U.S. Department of Health and Human Services (HHS). The rest went to state exchanges.
Why should you care about how the exchanges protect tax information?
If you have sold any qualified health plans (QHPs) through an exchange, the answer is obvious. The last thing on earth you need this month is for your customers’ tax information to be hacked.
Even if you are a life agent, or a financial advisor, you may have a stake in seeing that hackers do not figure out some creative way to use the office of the nearest public exchange to tap the IRS taxpayer information databases.
So, what could some (or many) of the exchanges done wrong? Read on.
1. Some exchange programs were too poorly run to be able to give TIGTA a “plan of action and milestones” (POA&M) report that TIGTA could use in its own report.
TIGTA analysts got POA&Ms from HHS to create a chart showing how many state-based exchanges had which kind of open data security weaknesses as of Oct. 1, 2013.
The analysts found, for example, that eight states had problems with identification and authentication, and seven had problems with identifier management.