Republican leaders in the U.S. House Committee on Energy and Commerce are digging deeper into allegations that the Internal Revenue Service (IRS) inappropriately apprehended millions of Californian patient medical records. In a letter sent Tuesday to IRS acting Commissioner Danny Werfel, these lawmakers called into question the IRS’s plans with the records and to what degree it falls under HIPAA jurisdiction.
It was announced in March that 15 IRS agents were part of a class-action lawsuit due to “an unlawful search and seizure” that took place on March 11, 2011. At the time, there were few details available other than that “John Doe” was a HIPAA covered entity suing the IRS because it had taken more than 60,000,000 medical records of more than 10,000,000 Americans, including at least 1,000,000 Californians during a records search of a former company employee. We also know that John Doe Company is looking for $25,000 in compensatory damages “per violation per individual” as well as punitive damages for constitutional violations,
However, lawmakers still want to know whether HIPAA’s privacy laws apply to the IRS and how it’s using the confiscated records. Moreover, given the IRS’s forthcoming role in aiding the government in protecting patient data, the House wants to know how the IRS views and follows HIPAA policies and procedures. These were three questions it wanted answered by the IRS by June 21:
1. Please outline the IRS’s current policies and procedures for requesting and examining protected health information (PHI) from a HIPAA covered entitity.
2. In the opinion of the IRS, does the term “return of information” as defined in 26 U.S.C. 6103, include electronic medical records which are obtained pursuant to a legally-authorized warrant? Does the term “return information” as defined in 26 U.S.C. 6103 include electronic medical records which are obtained improperly or inadvertently during the execution of a legally authorized warrant?
3. In the even the IRS obtains PHI not authorized by a court order, subpoena, summons or warrant, what policies or procedures does the IRS have in place to ensure such information remains confidential and private. Is the IRS obligated to maintain such information as confidential under 26 U.S.C. 6103? Is the IRS obligated to return such information?
It seems as though the House agrees that there’s a lack of information regarding how the IRS is using the data and whether HIPAA language is applicable in the context of this seizure of data.
