Health Privacy Brought to You by the IRS

Mark Baisley
Posted: Jul 28, 2013 12:01 AM
Health Privacy Brought to You by the IRS

Last month, the Internal Revenue Service submitted a funding request to Congress in order to fulfill its stated role in the Affordable Care Act, charmingly branded as Obamacare.  So far, the IRS has assigned 1,200 of its agents to implement the 18 tax provisions and 47 monitoring functions.  Perhaps their most disturbing capacity will be to levy extra taxes on every individual who does not comply with the new health insurance regulations.  For that, the agency intends to hire an additional 6,700 agents.

It wasn’t so long ago that the Health Insurance Portability and Accountability Act (HIPPA) was enacted by Congress.  A key provision of HIPPA is to ensure the privacy of individual health care information.  The U.S. Department of Health & Human Services enforces the privacy specs within health care providers and government agency systems. The department holds that, “all Federal agencies must also meet the requirements of the Privacy Act of 1974, which restricts what information about individual citizens – including any personal health information – can be shared with other agencies and with the public.”

There is a bill making its way through the U.S. House of Representatives that hopes to "prohibit the Secretary of the Treasury from enforcing the Patient Protection and Affordable Care Act and the Health Care and Education Reconciliation Act of 2010."  Congressman Tom Price (R-GA) is joined by no less than 114 fellow House members in sponsoring this bill that he authored.

The notion of granting health care information to the Federal Government’s taxing agency is troublesome to Cyber Security professionals on a very basic level.  This move will create a classic organizational conflict of interest condition.  Access control mechanisms are expertly configured in healthcare IT systems throughout the nation in order to protect patient information and to comply with HIPPA.  But for every well-designed cyber security system, the insider threat always looms as the hacker’s trump card.

In his foundational book Principles of Computer Security, Wm. Arthur Conklin, PhD, writes, “Most security is designed to protect against outside intruders and thus lies at the boundary between the organization and the rest of the world.  Insiders may actually already have all the access they need to perpetrate criminal activity such as fraud.  In addition to unprecedented access, insiders also frequently have knowledge of the security systems in place and are better able to avoid detection.”

Inviting 6,700 new IRS agents to join an already standing force of 1,200 existing agents would institutionalize the ultimate insider threat to Americans’ most private of personal information.  Of course, the Obama Administration will argue that this is an appropriate role for the Internal Revenue Service.  And the Internal Revenue Service will argue that they maintain the integrity to fill the role.  But of course both of those assertions are demonstrably untrue.

Story after frightening story emerges as the Congressional hearings continue in the investigation of IRS targeting.  Granting this new authority of information access and law enforcement on American citizens is beyond vexing.  The most insidious threat is the one who affects his scheme with authoritative innuendo, leaving no evidence of traceability.

In his classic portrayal of Becket, playwright Jean Anouilh’s characterization of King Henry II never commits murder.  Nor does he order that his antagonist Archbishop of Canterbury be killed.  The king merely wishes aloud before his closest royal nobles, “Will no one rid me of this meddlesome priest?