Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  
magnifying glass
Advanced Search   Search Tips

HCTC Drop Box

 

Privacy Impact Assessment – IRS Health Coverage Tax Credit (HCTC) Drop BOX/Server

HCTC Drop Box System Overview

The HCTC Drop-box serves as the interface between the HCTC and the IRS Integrated Financial System (IFS).  The connectivity between HCTC and IFS supports the payment of premiums to health care providers via Treasury FMS in support of the HCTC program.  Data moves from the HCTC system to the IFS via the HCTC Drop-box using the File Transfer Protocol (FTP) and is delivered over a Secure Virtual Private Network (VPN) circuit. 

System of Records Number(s)
Treasury/IRS 22.012 - Health Coverage Tax Credit Program Records

Data in the System

1. Describe the information (data elements and fields) available in the system in the following categories:

A. Taxpayer
B. Employee
C. Audit Trail Information (including employee log-in info)
D. Other (Describe)

The server is designed to be a secure pass through system only.  Data will be sent from the HCTC system XXXXXXX to the HCTC drop box, the data will then be picked up from the IFS system and passed on the FMS application.

A. Taxpayer data will be FTP’d to the box and will be either pushed or pulled from IFS and/or XXXXXX (HCTC). (XXXXXXX)

B. There will be no Employee data on the system.

C. The HCTC Drop Box will run standard XXXX audit trail software as required for all XXXXXX systems.

D.  N/A

2. Describe/identify which data elements are obtained from files, databases, individuals, or any other sources.

A. IRS
B. Taxpayer
C. Employee
D. Other Federal Agencies (List agency)
E. State and Local Agencies (List agency)
F. Other third party sources (Describe)

A.  The IFS system will create an extract file to send to the HCTC system.  It will contain information such as HCTC document number, the Financial Management System (FMS) schedule number, the EFT or check number, payment issue date, and vendor code.

B.  The HCTC system will upload a file to the HCTC server in the Detroit Internet Gateway (DIG) for information to add the necessary payment strings and data.  It will contain information such as vendor number, employer name, name of the insured individual, insured individual address, and remittance data (a combination of health care provider policy #, group #, and member #).  Record name is hctc_invoice.dat

C. IRS and/or Contractor XXXXXX employees will enter their User ID to log onto the system, and their User ID will be used for audit tracking. 

User ID will be the only employee data stored in the HCTC system.  All users will fill out the OL5081 application for approval from HCTC project owner.

D. N/A
E.  N/A
F.  N/A

3. Is each data item required for the business purpose of the system? Explain.

All data collected in necessary for administering the Advanced Tax Credit mandate as described in the HCTC regulation.  Advanced Tax Credit (ATC) is a component of HCTC.  No health information will be collected.  The data that is collected will be information that facilitates premium payment or end-of-year-tax credit, dependent information, and vendor information. 

4. How will each data item be verified for accuracy, timeliness, and completeness?

The information received from Accenture and IFS is expected to be accurate and legible.

On the Drop box there is no data verification needed, it is just a server that data resides on until one of the two parties retrieves the file.  The verification is conducted on the other systems (HCTC and IFS).  No processing is done on this Box.

5. Is there another source for the data? Explain how that source is or is not used.   No.

6.  Generally, how will data be retrieved by the user?

The data will be retrieved over an encrypted VPN between the Detroit Computing Center and the HCTC XXXXXX system.

7.  Is the data retrieved by a personal identifier such as name, SSN, or other unique identifier?  No.

Access to Data

 8.   Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Others)?

The payment data exchanged between IFS and HCTC is done via the drop-box using FTP and an encrypted VPN between DCC and HCTC.  End users do not have direct access to the data on the drop-box.

The Security Administrator will not see any taxpayer data.  Ensuring that user’s access or type of access is restricted to the minimum necessary to perform his/her job, and monitoring system integrity, protection levels, and security-related events.  A critical function of the Security Administrator is to generate audit trails and security reports and distribute them to the appropriate manager.

The System Administrator will be responsible for authorizing and removing access for those who install, operate, or maintain the system, and making sure all users are familiar with documented security practices/rules before granting them access. The system administrator will also be responsible for maintaining a copy of the authorization/ approval (e.g., Form 5081) for each user accessing a system systems under his/her control, monitoring access of system users, and maintaining an up-to-date list of authorized system users for systems under his/her control; The system administrator will not see any taxpayer data.

9. How is access to the data by a user determined and by whom?

For HCTC each user is granted access based on their role.  Form 5081 will have signatures from the User’s Manager/COTR, the Functional Application Manager, and the Security Administrator.  The Security Administrator will determine the User’s role-based access to the system.  The System Administrator grants users’ access in the system based on the information completed on the form 5081.  Users will only be given access after a Minimal Background Investigation (MBI) is completed and form 5081 is completed.

10. Do other IRS systems provide, receive, or share data in the system?  If YES, list the system(s) and describe which data is shared .  If  NO continue to Question 12.

Yes, HCTC Application shares data with IFS.  It will contain information such as vendor number, employer name, name of the insured individual, insured individual address, and remittance data (a combination of health care provider policy #, group #, and member #).  Record name is hctc_invoice.dat

11. Have the IRS systems described in Item 10 received an approved Security Certification and Privacy Impact Assessment?

Yes.  HCTC Application  Certification is unconditionally valid until July 27,2006.  The IFS application Certification is in process.

12.  Will other agencies provide, receive, or share data in any form with this system?  No.

Administrative Controls of Data

13.  What are the procedures for eliminating the data at the end of the retention period?

HCTC data will be stored in one of two places after 2 years in the active database.  The archived tables will either be stored on magnetic media or archived on another server.  After the 7 year retention period, the magnetic media storing archived tables will be degaussed following procedures in IRM25.10.1.  Any archived tables on a backup server will be truncated after the 7 year retention period.

14.  Will this system use technology in a new way?  If "YES" describe.  If "NO" go to Question 15.  No.

15.  Will this system be used to identify or locate individuals or groups?  If so, describe the business purpose for this capability.  No.

16. Will this system provide the capability to monitor individuals or groups? If yes, describe the business purpose for this capability and the controls established to prevent unauthorized monitoring.  No.

17. Can use of the system allow IRS to treat taxpayers, employees, or others, differently?  Explain.  No.

18.  Does the system ensure "due process" by allowing affected parties to respond to any negative determination, prior to final action?  N/A

19.  If the system is web-based, does it use persistent cookies or other tracking devices to identify web visitors?  N/A
 


Page Last Reviewed or Updated: November 09, 2004