The IRS is being audited, in a sense, by a Congressional subcommittee.
A House committee has called for an investigation of the Internal Revenue Service’s policies, procedures and accountabilities under HIPAA in response to an allegation that the agency unlawfully seized more than 60 million personal medical records affecting more than 10 million patients.
The case strikes a new chord in the world of data security and HIPAA privacy rule, which could make for an interesting case for health IT industry observers. Could an IRS information seizure qualify as a reportable data breach?
The unnamed HIPAA-covered entity, “John Doe Company,” is suing the IRS and 15 unnamed agents for improperly obtaining records in March 2011. According to the complaint, the IRS’ search warrant permitted the collection of tax records of a former employee of the company, but “did not authorize any seizure of any healthcare or medical record of any persons, least of all third parties completely unrelated to the matter.”
“These medical records contained intimate and private information of more than 10,000,000 Americans, information that by its nature includes information about treatment for any kind of medical concern, including psychological counseling, gynecological counseling, sexual or drug treatment, and a wide range of medical matters covering the most intimate and private of concerns,” the complaint states.
Three months after the claim was filed, U.S. House Committee on Energy and Commerce leaders Tim Murphy (R-PA) and Michael C. Burgess (R-TX) penned a letter to the IRS, asking how the agency is “preserving and treating” these records. They also seek an explanation of its HIPAA policies and procedures and how it ensures that protected health information (PHI) remains confidential and private. Requesting written answers no later than June 21, they wrote,
“While HIPAA privacy rules restrict the ability of a covered entity to release protected health information, those rules appear to impose no restrictions on the IRS’s ability to use such information after it is obtained.”
The suit contends that the agents “ignored” and “discarded” IT personnel at the scene, a HIPPA facility warning on the building and company executives who warned them of the privileged nature of the records. Moreover, it claims the IRS agents threatened to “rip” the server containing the medical data out of the building if IT personnel would not voluntarily release it.
Throughout initial reports of the case, spokespeople from the IRS have not responded for the record. The suit alleges that, despite “being put on notice of the illicit seizure,” the agency continues to possess the records.
As the case progresses, it could address a HIPAA compliance question: Do the IRS’ actions improperly impose on safeguards embedded in the HIPAA Privacy Rule? Moreover, do federal attainments of protected medical records qualify as a data breach, requiring “John Doe Company” to report it, and potentially receive fines from the HHS Office for Civil Rights?
Under the final HIPAA omnibus rule, organizations are required to report all incidents of data loss unless the risk of compromise is low. Organizations must consider the nature and extent of the PHI involved, the unauthorized party who accessed the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI has been mitigated when classifying a breach.
According to the U.S. Department of Health and Human Services, there are three exceptions to the definition of a “breach:” unintentional access by a member of the covered entity, inadvertent disclosure from one person authorized to access the PHI to another authorized person, or a case in which the covered entity has a good faith belief that the unauthorized individual to whom the disclosure was made would not have been able to retain the information.
The class action against the IRS seeks $25,000 in compensatory damages “per violation per individual” in addition to punitive damages for constitutional violations, as well as an order to return the records and purge all government databases that store them.