Taxpayer information given to the state-based insurance exchanges created by ObamaCare could be at risk, according to a new federal audit.
The Treasury Department’s inspector general for tax administration said in a report released Thursday that the IRS needs to boost its efforts to ensure that taxpayer data are protected.
"The IRS must do more to ensure that federal tax information submitted to the ACA [Affordable Care Act] exchanges is protected and prevent its unauthorized disclosure," said Russell George, the inspector general for tax administration.
Under the health law, people can receive a tax credit to help with the costs of insurance on the state exchanges. The IRS is charged with calculating the maximum amount of the tax credits, and in reconciling the credit a taxpayer received with their income.
To help with that process, the healthcare law allows the IRS to share certain taxpayer information with the state exchanges.
In a statement, the IRS said it had taken "aggressive steps" to make sure that tax information given to state health exchanges was protected, and that the inspector general's report would help strengthen their efforts.
"The IRS emphasizes there have been no data breaches involving federal tax information shared with the exchanges, and TIGTA did not find any specific or elevated risk to federal tax information maintained by the exchanges during the audit," the agency said in a statement.
"The IRS has a long and proven track record of safely and securely transmitting federal tax information through data sharing agreements to nearly 300 federal and state agencies on a regular basis. Historical results show extremely low incidence of data issues," the agency added.
George’s report did say that the IRS has taken many positive steps to protect taxpayer information, and noted that there’s no perfect system for keeping that data safe.
The IRS, for instance, began working with other agencies to develop safeguards two years before people started enrolling for insurance in October 2013.
Agency officials also required state exchanges to describe how they planned to protect taxpayer information from disclosure, and made on-site visits to check in on the exchanges.
But the inspector general added that the IRS does not require state exchanges to conduct an initial security check before getting the tax information.
The agency also didn’t require that top officials at state exchanges promise in writing that they understood the risks and importance of protecting the tax information. Plus, exchanges might not get on-site reviews of new systems to protect tax data for up to three years.
The inspector general said that meant the IRS didn’t have enough assurances that the state exchanges had internalized all the risks involved in protecting taxpayer data.
This story was updated at 4:18 p.m.