Insurance exchanges’ IRS Publication 1075 data compliance new to many – Commentary by Jeff VanSickel

October 2013 — SearchHealthIT – TechTarget

Affordable Care Act implementation continues, despite some major obstacles: a government shutdown, deep political opposition to the ACA, and a rocky start to the first week of enrollment for its health insurance exchanges (because of initial crashes of the main federal website and ongoing technical glitches causing delays and user-authentication problems).

Mandated by the ACA, the exchanges are online marketplaces designed to offer uninsured Americans health coverage. While each state has one, the law provided for federal management of a state’s exchange if a state declined to set up its own with federal grants. The federal site supports 36 state exchanges. The District of Columbia and 14 states run their own.

On top of the initial technical problems, another potentially big, but little-reported IT problem for the exchanges is waiting in the wings.

The ACA also introduces the use of the IRS to enforce the individual mandate and validate applicants’ claimed income data to ensure they are eligible for premium subsidies. Toward that end, exchanges will have to comply with IRS Publication 1075, which protects federal tax returns and return information (FTI) for taxpayers in the same spirit that HIPAA covers protected health information for patients. Tax data is served by the government on a main federal data services hub for the purpose of validating an applicant’s eligibility for federal subsidies, which many currently uninsured patients would theoretically receive.

IRS adds a layer of compliance complexity

Protecting that tax data requires more than just HIPAA compliance. Separate breach reporting and data encryption rules apply, for example, and the IRS has some fairly specific rules for physical safeguards, including a prohibition on drop ceilings and prescriptions for cubicle wall heights where FTI is handled.

While the federal hub might be secure, according to CMS self-reporting testing and validation, some industry observers aren’t so sure about the organizations and state exchanges tapping into its data reserves.

“For folks who are in the security biz, it sort of translates into ‘FISMA-moderate,'” said Bobbie Wilbur, cofounder of Social Interest Solutions, a nonprofit invested in helping underserved patients through health IT.

Wilbur is referring to how HIPAA, IRS Publication 1075 and other health data security mandates taken together meet a rough equivalent to the middle ground between the minimum and maximum data security requirements of the Federal Information Security Management Act of 2002. “It is a fairly strong security standard, which I think is probably appropriate given the data that we’re handling here,” she said. “But are people operationalizing that? It’s being imposed on a world that has digested HITECH, they’ve digested HIPAA and now there’s yet another layer they’ve never dealt with.”

Payers, providers could be affected and unaware

Payers will most likely have to meet the standards, Wilbur said, as well as any provider that hooks into the exchanges for billing or if they have patient support services or financial offices that assist uninsured patients in signing up for policies. Federally qualified health centers or local clinics might associate with volunteer community groups or private brokers that help feed patients into the exchanges. These groups, with shoestring funding and little bandwidth for setting up formal compliance programs, might be vulnerable to violations.

Wilbur, who wrote some of the verbiage in ACA section 1561 covering electronic enrollment of patients into the exchanges, said that her company assisted several states in setting up their exchanges. It also had a hand in Arizona’s ACA-funded Medicaid expansion effort, enrolling patients. She saw firsthand how IRS 1075 can cause a compliance kludge, because any entity that touches the hub must meet its security requirements whether they access taxpayer data or not.

“The state of Arizona has chosen not to use IRS tax data as enrollment criteria for new Medicaid patients,” Wilbur said. “But because Arizona is connecting to the federal data services hub — even though it is not using that IRS tax data — because the system they’re connecting to has that data in it [and] they have to comply. The tentacles of these requirements are brutally extensive. … I’m not saying it’s bad, it’s just that it takes time to digest, operationalize and build a security framework that can support that.”

Her organization isn’t touching any IRS data, Wilbur said, because some of the requirements are “over the top,” such as data partition requirements that prohibit IRS data to live in the same places as other business data even though personal data and the IRS data is protected by the exact same stringent security protocols. Wilbur added that she understands why data security is so important, considering all the data the IRS keeps for individuals includes social security numbers, financial data, family relationships and a lot more. But her organization is struggling with drawing the line between security and opening access for the uninsured patients the ACA was intended to help.

“A state probably could and definitely should accommodate this,” she said. “But how far should it extend beyond, and what’s your real risk?”

Feds pulled together hub quickly

It may be small consolation to the parties in the healthcare world newly subject to IRS Publication 1075, but they can take solace in the fact they’re not alone reconciling the vagaries of HIPAA and the tax data privacy rule. The IRS must get in compliance with HIPAA, too, in order to play its data handling role for the exchanges.

Not many healthcare providers will be subject to IRS 1075, believes Jeff VanSickel, who heads the compliance practice for System Experts Corp. The data security consultancy is based in Sudbury, Mass., and specializes in security strategy and testing IT vulnerabilities. He said that payers are likely familiar with many of the tax rules, and therefore won’t be blindsided by having to comply with them, because they already handle much financial data and maintain comparable levels of security in the course of doing business.

What worries VanSickel are the government hub and subsites. The federal hub represents a large IT project that was set up quickly to meet ACA deadlines, he noted. Even if the feds managed to lock it down, security-wise, that still leaves 50 state-level data centers that were quickly pulled together, feeding into it. Their administrators needed to build new compliance programs from scratch and in a hurry.

He questioned their ability to meet both IRS 1075 and HIPAA requirements for privacy and security, as they mash together health data and tax data to determine individual eligibility for subsidized insurance policies. It takes time for data center providers getting into the health insurance exchange business to develop policies, protocols for incident management, access control and security systems to comply with both, he said.

His company is flooded with requests for help in HIPAA compliance, but no one’s calling for IRS 1075 assistance. That does not bode well, VanSickel said, for the preparedness of the state, county and local-level sites feeding into the federal data services hub.

“You’ve got to create these mega-hubs, which are going to take a tap from the federal and state IRS, and then they’re also going to take a feed from [health information exchanges],” VanSickel said. “They’re putting a middleman between the exchanges and the healthcare community. I don’t want to say it’s the weakest link, but let’s just say it’s an extreme point of interest. My big fear is the fact that these data services hubs can’t possibly be ready for prime time.”