Is the IRS Violating HIPAA Medical Record Privacy Laws?

In recent weeks the Internal Revenue Service (IRS) has garnered plenty of publicity it would probably rather do without.

IRSMuch of the nation took notice of recent allegations that the IRS unfairly targeted conservative groups, and particularly members of the tea party movement. While Pres. Obama has not acknowledged any prior knowledge of the IRS’s special attention given to tea party movement members or others known to oppose aspects of his administration, acting IRS Commissioner Steven Miller announced he was stepping down as a result of suspicions cast on actions of the IRS.

In his farewell memo to IRS employees, Miller tied his departure, effective in June, to “a strong and immediate need to restore public trust in the nation’s tax agency.” One suspects Miller believed his departure would help restore trust in the IRS as a nonpartisan agency dedicated to the fair treatment of all Americans.

Even before Miller announced his departure from the IRS, however, new concerns surfaced over allegations that the IRS had compromised the privacy rights of millions of Americans. Specifically, the IRS has been accused of violating provisions of the HIPAA laws designed to protect the privacy of medical information pertaining to Americans around the country.

What are HIPAA Laws?

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, guarantees certain basic healthcare-related protections to Americans. Title 1 of HIPAA relates primarily to the “portability” reference in the Act’s full name—specifically, by facilitating continuation of health coverage for people who stand to lose their coverage due to losing or changing jobs. Title 2, meanwhile, focuses more on accountability, including accountability of various agencies required to maintain and protect the privacy of Americans’ medical records.

In this discussion, we will focus exclusively on accountability and measures designed to safeguard the privacy rights of Americans.

What information is protected by HIPAA?


According to page 3 of the Dept. of Health and Human Services (HHS) publication, Summary of the HIPAA Privacy Rule, “the Privacy Rule protects all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.”

Summary of the HIPAA Privacy Rule goes on to classify individually identifiable health information as “information, including demographic data, that relates to the individual’s past, present or future physical or mental health or condition; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual.” Individually identifiable health information either identifies an individual or provides information making it reasonable to believe an individual can be identified. Such items as addresses, Social Security Numbers, and, of course, names constitute individually identifiable health information.

According the HHS Summary, “de-identified” information is not protected under HIPAA, as “de-identified health information neither identifies nor provides a reasonable basis to identify an individual.”

Who is Required to Abide by HIPAA Laws?

Page 2 of the HHS Summary states, “The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA.”

According to HHS, “health plans” accountable under HIPAA include:

      • Health, dental, vision, and prescription drug insurers
      • Health maintenance organizations (HMOs)
      • Medicare, Medicaid, Medicare+Choice (Medicare Advantage) and Medicare supplement insurers
      • Long-term care insurers (excluding nursing home fixed-indemnity policies)
      • Employer-sponsored group health plans covering more than 50 employees
      • Multi-employer health plans
      • Most government-sponsored health plans

HHS defines health care clearinghouses as “entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa.”  Typically, according to HHS, “health care clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or health care provider as a business associate.”

“Providers” in the HHS Summary refers to “every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions.”

Although the IRS is not a health plan, clearinghouse, or medical provider obligated to uphold provisions of HIPAA, as a federal government agency it is obligated to do nothing to encourage or cause entities accountable under HIPAA to violate any laws protecting Americans from invasions of privacy.

Continue reading Is the IRS Violating HIPAA Medical Record Privacy Laws?

2 thoughts on “Is the IRS Violating HIPAA Medical Record Privacy Laws?

  1. Steven, great post and something I never thought about in all my years of HIPAA consulting to Covered Entities and Business Associates. You have to wonder if this would get anywhere from a legal perspective. Thanks for the post.

  2. ….and on a side note, let me just add that If you want to see a decrease in data breaches of Protected Health Information (PHI), then both Covered Entities and Business Associates should do three (3) primary things. 1. Put in place all necessary HIPAA policies and procedures. (2). Strictly enforce annual security awareness training for all employees and workforce members and (3). Build a network that has comprehensive elements of layered security and defense-in-depth within it. Call the 3 point triangle for HIPAA success, which is relatively straightforward, yet many CE’s and BA’s simply fail to grasp the importance of such initiatives. Remember that HHS | OCR has announced even more annual HIPAA compliance audits, so be ready.

Leave a Reply

Your email address will not be published. Required fields are marked *

By completing the simple formula below you agree that you are a human being and not a robot. Thanks! *