Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  
magnifying glass
Advanced Search   Search Tips

Health Care Tax Credit

 

Privacy Impact Assessment –  IRS Health Care Tax Credit

IRS HCTC System Overview

The HCTC (Health Coverage Tax Credit) Application will facilitate the implementation of the Health Coverage Tax Credit Program (HCTC). The HCTC Application will receive lists of eligible individuals from the State Workforce Agencies (SWA) through ICON (Interstate Connection Network) and the PBGC (Pension Benefit Guaranty Corp). The application will then create information packets for all eligible individuals. The information packet will provide information on the HCTC and will contain contact information for the elected health plan options available in the state. The HCTC solution will also include a call-center that would provide information on eligibility, explain health insurance tax credit benefits, and resolve problems and disputes. The HCTC application will work with USBank to accept payments.  The HCTC application will forward eligibility lists US Bank to indicate which taxpayers to expect payment from.  USBank will provide confirmation regarding payments from individuals, and information on individuals whose eligibility and/or premium payment amounts were in question. The HCTC application will facilitate the timely payment of premiums by ensuring the timely transfer of data to and from the IRS, including individuals who have remitted their portion of the premium and the premium amount as well as the amount FMS will pay to the vendors (Health Plan, TPA, Employer Group). 

System of Record Number(s)

Treasury/IRS 22.012-Health Coverage Tax Credit Program Records

Data in the System

1. Describe the information (data elements and fields) available in the system in the following categories:

A. Taxpayer
B. Employee
C. Audit Trail Information (including employee log-in info)
D. Other (Describe)

A. Taxpayer data in the system includes Customer Account Number, SSN, DOB, Date of Death (if this occurs during enrollment), Address, Phone Number, dependant information (Name, DOB, Relationship), Vendor (Health Plan, TPA, Employer Group) Information, Premium Information, Language Preference, Access Needs, Access Notes, County of Residence, State of Residence, Primary Phone Number and Secondary Phone Number, Federally Funded Health Plans the individual participates in, Prison Information, and Self-Attested Answers to the four eligibility questions. Only data elements that are required to operate the advanced tax credit option of HCTC, according to TAA (Trade Adjustment Act) guidelines will be collected.

B. A few IRS employees will have access to the SAP application to approve payments.  For every payment the IRS employees approves or denies, their User ID, the Timestamp, and Action Taken is collected. This User ID is an HCTC Application ID that is assigned once the employee has submitted their approved form 5081.

C. The Audit trail will capture the User ID of any individual that alters any data, what the user did, as well as record the timestamp of when that action occurred.

D. Vendor data in the system includes Vendor Name,   EIN (Employee Identification Number), Address, Point of Contact Name, Phone Number, Date of Entry and Payment Remittance Information.  Vendors are Health Plans, Third Party Administrators, or Employers (e.g. Health Plan of the DC Metro Area). These data elements are captured for the following reasons:

-To ensure that the “enrollee” is enrolled in a qualified Health Plan, according to HCTC guidelines
- To provide Health Plan options for “eligibles” that may not be enrolled in “qualified” health plans
- In order to make the “enrollees” payments on time to the correct vendor.

2. Describe/identify which data elements are obtained from files, databases, individuals, or any other sources.

A. IRS
B. Taxpayer
C. Employee
D. Other Federal Agencies (List agency)
E. State and Local Agencies (List agency)
F. Other third party sources (Describe)

A.  The IRS will approve payments to be made to vendors on individuals’ behalf. Specific employees from the IRS will have access to the SAP application, so that they have the ability to mark the Payment Proposal items as approved or denied.  For those payments that are denied, the IRS employee will also indicate a reason for denial for audit purposes.  The IRS employees that are allowed to access the SAP application will be given a User ID.  Each record that the IRS employee approves or denies will contain their User ID with Action Taken and a Timestamp for audit purposes.  All User Ids are assigned in accordance with the baseline security requirements.

The IRS will also send HCTC a file that contains all the TINs whose premiums were paid, the amount that was paid, and any additional information about the payment from FMS (Financial Management Service).

B. The taxpayers themselves will verbally provide Language Preference, Access Needs, Access Notes, Mailing Address (update), County of Residence, State of Residence, Primary Phone Number and Secondary Phone Number, Dependants’ information (Name, DOB, and relationship), Self-attested answers to the four eligibility questions, and Premium Amount.  The taxpayer will also send in written documentation (Invoice or COBRA Election Letter) that verifies Premium amount, individuals covered under the policy, and Vendor Name. When taxpayers call the Customer Contact Center, they will be authenticated by confirmation of SSN, Name, and Address. If the taxpayer cannot be found in the system with an exact match of those three elements, they will be redirected to either PBGC or the SWA for their state.

C. Employees will enter their User ID to log onto the system, and their User ID will be used for audit tracking. (These employees are non-IRS employees or approved IRS employees).  User ID will be the only employee data stored in the HCTC system.  Please see the IRM 25.10.1 for audit guidelines. 

D. Interstate Connection Network (ICON): ICON is a system operated by Lockheed Martin for the Department of Labor. ICON works as a clearinghouse for states.  This system is currently operational.  HCTC obtains taxpayers’ SSN, Name, Address, DOB (If available), eligibility month/year, eligibility adjustment code for each “eligible” individual through a State Workforce Agency (SWA).  The State Workforce Agencies are responsible for identifying HCTC eligibles in their state, based on guidelines from the Department of Labor. Data will be sent in a file generated by ICON, representing a collection of the data sent by the SWAs.  

E. PBGC (Pension Benefit Guarantee Corp): HCTC obtains SSN, Name, Address, DOB (if available), eligibility month/year, eligibility adjustment code for
each “eligible” individual through PBGC. Data will be sent in a file generated by  the PBGC.

F. USBank: HCTC will receive a daily feed containing all the TINs that sent in any payment, and the amount of that payment.  The data will be contained in a file  
generated by USBank.

All State Approved Health plans are designated by the SHAs (State Health Agency).  The SHAs will send a letter to the HCTC program when any Health Plans are added or removed from the State Approved Health Plan list.  State Approved Health Plans are determined based on 4 requirements.  These Health plans are input into the system and/or modified per the letters from the SHAs.

ChoicePoint: ChoicePoint will be used for TIN validation.  When a TIN is received by HCTC for the first time (by PGBC/ICON), HCTC will send that TIN and the associated name (Last, First, Middle) to ChoicePoint.  ChoicePoint will respond indicating whether the TIN is valid or invalid. If the TIN is valid, then ChoicePoint will send the DOB as well.  All files sent by HCTC to ChoicePoint and vice versa, will be sent via a secured process over the internet.

Vendors: Vendors are Health Plans, TPAs, and Employer Groups.  If an individual participates in a qualified health plan that is not a “State Approved Health Plan,” then HCTC will contact the vendor (over the phone) listed on the Invoice/COBRA Election Letter that the individual submits and obtain Vendor Name (also listed on the Invoice/COBRA Election Letter), EIN (Employee Identification Number), Address, Point of Contact Name, Phone Number, Date of Entry and Payment Remittance
Information.

3.  Is each data item required for the business purpose of the system?  Explain.

All data collected is necessary for administering the Advanced Tax Credit mandate as described in the HCTC regulation. Advanced Tax Credit (ATC) is a component of  HCTC.  No health information will be collected; The data that is collected will be information that facilitates premium payment or end-of-year tax credit, dependant information, and vendor information.  Please refer to the System Of Records Notice (SORN) for further details.

4. How will each data item be verified for accuracy, timeliness, and completeness?

The information that comes in from ICON and PBGC is expected to be accurate, and eligibility is refreshed every month to ensure timeliness.

The TINs that are received will be validated to ensure they are valid.  Invalid TINs will not be loaded into the system. HCTC will use the ChoicePoint system to validate TINs and DOB. If the TIN is valid, but the DOB is different than the DOB sent in on the PBGC/ICON feed, then that record will be flagged for further manual investigation.  See question 2 for details on the process of TIN Validation.

Each individual that calls will need to provide a TIN and Name that matches the data in the system, to ensure they are the correct individual. Once the individual calls to update the necessary information in the system and request enrollment (providing personal information, dependant information, vendor and premium information), the personal and dependant information that the individual gives is self-attested and thereby considered accurate. 

Vendor and premium information is verified for accuracy by asking the taxpayer to send in a copy of their invoice/COBRA Election Letter.  It is up to the taxpayer to update their information should anything change, and notify the program of any Vendor or Premium changes.  The system controls each individual’s status, such that any data that is required for system processing will be required before the individual’s status will be escalated to “enrolled.” 

5. Is there another source for the data?  Explain how that source is or is not used.

The sources of our data include the Taxpayer, PBGC, ICON,  USBank, ChoicePoint, and the IRS.

Information about the taxpayer must be obtained from the taxpayer in order to have the most accurate data.  It is up to the individual to request the HCTC ATC, and to maintain the maximum amount of privacy for each individual’s record. Other than the TIN check, the individual is solely responsible for requesting the ATC, and altering any of their personal, dependant, vendor, and premium information.  

The information from PBGC and ICON is mandated by the HCTC regulation, and they are the only sources that we may obtain “eligibles” data from.

USBank is the financial intermediary chosen by FMS.  The HCTC regulation mandates that the financial intermediary that HCTC uses is an institution designated by FMS.

ChoicePoint is used throughout the IRS, and can provide all the data HCTC needs for validation, thus promoting Program Integrity.  ChoicePoint is one of the few options that are available that can be operational by August 1st, 2003.

IRS is the owner of the HCTC program, and is the only entity that has authority to certify payment to the vendors.

6. Generally, how will data be retrieved by the user? 

The users will be contractors  - XXXXXXXX, XXXXX.  The front-end application for the system is XXXX.  In order to access any data, users will need to be located in HCTC facilities, and have access to the XXXX application.  All users will have completed an MBI and form 5081 prior to gaining any access to the system.  User Privileges and User Roles determine the types of data that each user has access to.   Each user will have access only to those data fields that are required to fulfill their job description. 

7. Is the data retrievable by a personal identifier such as name, SSN, or other unique identifier? 

System users that will search for data are HCTC contractors (XXXXX, XXXXX).   They will locate the taxpayer’s data by searching for the taxpayer’s Customer Account Number, TIN/SSN, or Name.  Customer Account Number is an auto-generated number within the system, that will be used whenever possible, to limit the use of SSNs. Other fields (such as Address) will not be searchable (to prevent monitoring). In order to interface with the IRS systems, HCTC needs to be able to identify users by TIN.  As a tax system, identifying an individual by TIN also allows for HCTC to produce the 1099-H form that will be required for individuals to complete their end of year tax forms.

Access to the Data

8. Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Others)?

Internal Users that interface with the system are contractors.  External Users (stakeholders) will have access to data in the form of reports or files.

Note: All Internal Users of  the system will have completed an MBI and a form 5081 prior to gaining access to the system.  The Form 5081 will detail what access the user needs, and why.  The Security Administrator will be responsible for determining the level of access.

External Users will be bound by the limitations of the Interconnection Security Agreement.

Users will have the following access (A user may have more than one role depending on capability):

Data Entry Clerks will have access to all data in the system.  This is so a CSR will be able to provide all “eligibles” with information on what is stored in XXXXXX for their record.

Data Entry Verifiers have access to updating vendor and premium information in XXXXX after HCTC receives the “eligible’s” invoice/COBRA Election Letter. 
Vendor Data Entry analysts will have access to updating the vendor master list in XXXXX.  The vendor master contains all the State Approved Health plans and “qualified” vendors that “enrollees” participate with.
Financials Data Entry Analysts will have access to the SAP application to make any financial adjustments.

The Security Administrator will not see any taxpayer data.  The Security Admin will assign initial identifications and passwords, security profiles, and other security characteristics of new users. Other tasks will include changing security profiles for existing users, ensuring that user’s access or type of access is restricted to the minimum necessary to perform his/her job, and monitoring system integrity, protection levels, and security-related events.  A critical function of the Security Administrator is to generate audit trails and security reports and distribute them to the appropriate manager.

The System Administrator will be responsible for authorizing and removing access for those who install, operate, or maintain the system, and making sure all users are familiar with documented security practices/rules before granting them access. The system administrator will also be responsible for maintaining a copy of the authorization/approval (e.g., Form 5081) for each user accessing a system systems under his/her control, monitoring access of system users, and maintaining an up-to-date list of authorized system users for systems under his/her control; The system administrator will not see any taxpayer data.

Maintenance users will not be viewing individual pieces of data.  Maintenance users will be handling table maintenance and other tasks as necessary.
USBank data entry clerks will enter payments into their system corresponding to TINs that HCTC sends USBank.  The only data they will see is the TIN, and the only data they will modify is the payment-received amount.

ICONS – HCTC representative will receive a report of TINs that did not pass Level 1 edits.  This report is generated by the ChoicePoint system.

The IRS HCTC payment certification employees will have access to the SAP application.  Their access will be limited to TIN information and corresponding payment amount information sent by USBank.  Along with that information will be the HCTC proposal as to whether the whole premium should be released to the vendor on behalf of the “enrollee.”

Their “write” access will include whether the proposed payment is approved or denied, and if denied, the reason why.

9. How is access to the data by a user determined and by whom? 

Each user is granted access based on their role.  Form 5081 will have signatures from the User’s Manager/COTR, the Functional Application Manager, and the Security Administrator.  The Security Administrator will determine the User’s role-based access to the system.  The System Administrator grants users’ access in the system based on the information completed on the form 5081.  Users will only be given access after an MBI is completed and form 5081 is completed. 

10. Do other IRS systems provide, receive, or share data in the system?  If YES, list the system(s) and describe which data is shared.  If NO, continue to Question 12.

IRS AFS receives payment information from HCTC.  This file includes a Customer Account Number, amount of Total Premium, and Vendor Code and Policy number.  This information will be passed on to FMS from the IRS for payment.

FMS will then return a file to IRS indicating the amount that was paid for each Customer Account Number, the Date the payment was made, Treasury Schedule Number, the Check Number, and any additional information FMS needs to send.  The IRS will send this file through AFS to HCTC.

In the near future, the AFS system will be transitioning to the IFS system.

11. Have the IRS systems described in Item 10 received an approved Security Certification and Privacy Impact Assessment?

The AFS system has been verified to be Accredited and Certified.

12.  Will other agencies provide, receive, or share data in any form with this system?

ChoicePoint will provide the computer-matching processes required for TIN and Name Validation, DOB Validation, and Date of Death check.

ICON and PBGC will be providing eligibility information. HCTC has an ISA with each agency.

USBank will be receiving and providing taxpayer payment information, and will have an ISA.

The IRS will receive and send payment remittance information and will have an ISA.

Data will be sent to the external stakeholders using two media. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXX XXXXXXXXXXXXXXXXXXXXXX  XXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXX

Administrative Controls of Data

13.  What are the procedures for eliminating the data at the end of the retention period?

Data will be stored in one of two places after 2 years in the active database.  The archived tables will either be stored on magnetic media, or archived on another server.  After the 7 year retention period, the magnetic media storing archived tables will be degaussed following procedures described in IRM 25.10.1.  Any archived tables on a backup server will be truncated after the 7 year retention period. 

14.  Will this system use technology in a new way?  If "YES" describe.  If "NO" go to Question 15.   No.

15.  Will this system be used to identify or locate individuals or groups?  If so, describe the business purpose for this capability.  No.

16. Will this system provide the capability to monitor individuals or groups? If yes, describe the business purpose for this capability and the controls established to prevent unauthorized monitoring.  No.

17. Can use of the system allow IRS to treat taxpayers, employees, or others, differently?  Explain.  No.

18.  Does the system ensure "due process" by allowing affected parties to respond to any negative determination, prior to final action?

The only computer matching that can result in denial of benefits is the verification of TIN.  For those situations, the individual would need to contact the SWA (State Workforce Agency) that has their information, or PBGC, dependant on which list the individual believes they should be on. 

Another way an individual can be denied benefits, is if they fail one of the four self-attested questions (In Prison, Qualified Age, Medicare recipient, Spousal Coverage less than 50%) as dictated by the HCTC regulations.  In the case an individual is denied benefits due to failing one of the above described questions, there will be a process for individuals to appeal denial of ATC.  (Denial of ATC does not mean denial of end-of-year tax credit).

In the situation that an individual does not have a qualified vendor, they will be denied ATC, but may request enrollment again if they gain enrollment in a qualified plan.

The last way an individual can be denied benefits is if they either do not send in a document so that the program can verify vendor and premium amount, or if the individual does not send in their portion of the premium.  There is a process for individuals to appeal denial of ATC.

19.  If the system is web-based, does it use persistent cookies or other tracking devices to identify web visitors?

The system is not open to the public.  The applications in this system are available only to authorized users. Some of the applications are “browser-based,” but access to the application is limited to authorized users within HCTC facilities.  Authorized users have gained access only after completing a MBI and a form 5081.
 


Page Last Reviewed or Updated: November 19, 2004