On Wednesday, a new critique of the Affordable Care Act entered the fray. An audit by the Treasury Inspector General for Tax Administration said that under current conditions, the Internal Revenue Service’s Internal Revenue Manuals “do not address management’s responsibility for managing, monitoring, and mitigating fraud risk with the development of new information technology systems for the ACA.”
The manuals are a compilation of tax code procedures and guidelines, and so far, “the ACA Program has not yet completed a fraud mitigation strategy to guide ongoing systems development.” The Treasury Inspector General classifies this as a vital component for protecting against improper payments, as “Robust fraud mitigation controls and new systems are required to reduce improper and erroneous payments and fraud risk.”
The report says that the IRS has agreed to develop strategies for fraud mitigation and will create or update “appropriate IRM sections.” The IRS acting commissioner, Danny Werfel, added to this in a statement published by Politico: “The IRS has a strong, effective system in place for administering the Premium Tax Credit. We have a proven track record of safely and securely transmitting federal tax information, and we have a robust and secure process in place to deliver this important credit for taxpayers.”
At the White House, Press Secretary Jay Carney agreed. In a press conference, he repeated Werfel’s words when questioned about the audit. “I think that the IRS has a great deal of experience in protecting taxpayers’ information and would point you to what the IRS says.” Carney also stated that he had not read the Treasury Inspector General for Tax Administration report.
Sen. Orrin Hatch (R-Utah) was not placated by the promises of the IRS, Werfel, or Carney. He released his own statement on the findings, in which he said, “The ObamaCare premium subsidies are a fraudsters dream come true.” His reasoning is that since a person pays first and has his or her income verified later, there is no estimating the amount of fraudulent transactions that could take place.
“While the IRS needs to do more to ensure more safeguards are put in place, the fact is that the problems with these tax credits are deeply rooted in the law itself,” Hatch said. “I fear the IRS will never be fully capable of ensuring that these refundable tax credits got to those who are truly eligible.”
The Treasury Inspector General for Tax Administration report also contained a number of other findings and recommendations meant to boost the federal tax agency’s ability to successfully implement the portions of the law it is responsible for.
The IRS agreed to many suggestions but balked at implementing a program that “resolves or develops an action plan with specific corrective actions and time periods for the failed security tests as part of the ACA Security Assessment and Authorization.” The IRS says it already has policies in place that will see this is done.
The IRS explanation did not sway auditors: “Such a resolution or an action plan with the corrective actions is needed to ensure that the IRS is addressing the vulnerabilities in information systems that can be traced to software flaws and misconfigurations of system components for the PTC Project and across other information technology projects being developed by the ACA Program.”
This is not the first time an aspect of the health care law’s technology security has been criticized. On November 19, the House Committee on Science, Space, and Technology held a hearing on the security of HealthCare.gov. In the submitted testimony of David Kennedy, the CEO of TrustedSec LLC, the company said it had “serious concerns over the security of the website and the ability to protect information.”
The CEO of Crowd Sourced Investigations LLC, Morgan Wright, also testified. He said that the “gaping hole” allowed in respect to the website’s security “shows a lack of understanding for the consequences to consumers.”