The Internal Revenue Service (IRS) might have minor — or major — weaknesses in efforts to test systems that will handle a new series of insurance company net premium filings.
But officials at the Treasury Inspector General for Tax Administration (TIGTA), a federal watchdog agency, are giving members of the public just enough information about a TIGTA review of IRS security testing to suggest that there might be cause for concern.
TIGTA officials have put the results of their review in a heavily redacted report.
Starting in early 2015, the IRS will be responsible for administering many PPACA tax provisions that apply to the 2014 tax year.
One of those PPACA tax provisions, PPACA Section 9010 will impose $8 billion in taxes, or “insurance provider fees,” on health plans and commercial health insurers for the 2014 tax year. A health insurer is supposed to file Form 8963, to report on its net written premiums and give the IRS the information needed to calculate the insurer’s share of the insurance provider fee obligation.
Pharmaceutical manufacturers are also supposed to pay an annual PPACA tax. They will file information about sales of branded prescription drugs and sales of orphan drugs using Form 8947.
TIGTA officials have published a clear description of one concern about IRS system testing: TIGTA investigators think the IRS testers did a poor job of describing the objectives of some of the system tests, such as how well insurers could submit filings with attachments, in the testing system.
“Our concern is that the expected results should be accurate and complete in order for the testers to fully understand what they are testing and for the testers to be able to adequately compare the actual results to the expected results,” TIGTA officials say. “Whenever actual results are not properly compared to expected results because the expected results are not effectively conveyed, the IRS may be unable to determine whether testing activities adequately validate system functionality and requirements and also ensure that the system operates as intended.”
For a look at what the TIGTA officials found and did not want to share with the general public, read on.
1. We can’t tell you the name of a commercial off-the-shelf application the IRS is using to provide a framework for the electronic processing of health insurance providers’ Form 8963 filings.
The IRS has blacked out a diagram that shows how the unnamed framework-providing application fits in the IRS filing processing universe.
2. We can’t tell you about the results of IRS “insurance provider fee” system vulnerability testing, or what’s going on with any patching of those vulnerabilities.
TIGTA officials have included a major section in their report with the title, “Results of review: Identified security weaknesses should be fully mitigated.”
The chapter heading suggests that TIGTA officials found what they believe to be serious problems in the IRS insurer and drug manufacturer PPACA filing processing systems. But TIGTA officials have blacked out so much of that section that no actual performance ratings are visible. It looks as if this section may refer mainly to concerns about the prescription drug filing processing system, not the insurance provider fee filing processing system.
3. It looks as if a failure to patch prescription database security could affect the ability of the IRS to calculate the fees the insurance providers owe, but we can’t tell you why.
So much of that section is blacked out, it’s not clear whether the TIGTA officials are mixing up insurer filing processing with drug maker filing processing, or whether the drug maker filing processing system somehow affects the processing of the insurers’ filings, too.