HIPAA and the IRS. There isn’t a whole lot of guidance out there about what to do when the IRS knocks on your organization’s door and asks for protected health information. Should the agency be treated as a cop or robber?
The most risk-averse approach for a HIPAA-covered entity or business associate to take is to treat the IRS as a potential thief and draw the deadbolt when it comes to data requests involving PHI. Such a tack would, among other things, comply fully with HIPAA’s minimum necessary requirement and, frankly, reinforce the Everyman attitude toward the agency. Moreover, PHI produced in response to an information document request (IRD) is unlikely to be treated under 45 CFR 164.512 as a disclosure required by law, a disclosure for an administrative proceeding, or a disclosure for a law enforcement purpose, because the IRS appears to lack the authority to compel compliance with an IRD. However, we should be careful that we don’t always and automatically view the IRS with HIPAA suspicion – in some circumstances the IRS does perform a legitimate healthcare oversight function for which it may receive PHI without individual authorization, consistent with HIPAA’s treatment/ payment/ operations exception.
Notwithstanding guidance issued by the Office of the Chief Counsel of the IRS on Sept. 10, 2004 (which nowadays is ancient history), the HIPAA regulations and the preamble to the HIPAA regulations indicate that the term “health oversight agency” is expansive and captures many government agencies not normally associated with healthcare (e.g., Defense Criminal Investigative Services, the Department of Education, the DOJ, the EPA, and any federal agency OIG). Ultimately, OCR determined the range of health oversight agencies was so broad that it opted to not include specific examples in its definition. That said, the role of the IRS in enforcing standards within the healthcare industry has evolved dramatically since 2004, particularly with respect to non-profit hospitals and certain aspects of the Affordable Care Act. In light of these and other regulatory activities, many HIPAA-covered entities (notably health plans) do in fact view the IRS as a health oversight agency and currently list it as such in their notices of privacy practices.
So where does this leave us? Covered entities/business associates have the option of addressing IRS requests for PHI from (1) a patient-centric perspective and declining to provide the information being sought or (2) a “can we argue that we won’t get into trouble if we comply with the IRS request” standpoint (which is often the default tactic). But which approach is right? As with most answers from lawyers, it depends - each IRS request should be judged on its merits and the totality of circumstances surrounding it.
Without investing in such an involved analysis, however, a HIPAA-covered entity or business associate will never be in the wrong if it de-identifies data before shipping it off to the IRS. On the other hand, it is questionable whether the IRS will agree to such a tack, and the covered entity/business associate may not be capable of fully de-identifying PHI. On the latter point, too many still hold the misguided belief that simply taking a Sharpie and marking out names and SSNs suffices for de-identification. It often comes as a surprise then that the actual task of de-identifying a data set requires that 18 specific identifiers be stripped from the information before it is no longer considered protected.
The distinctions drawn above may seem a bit academic. But the upshot is that while good arguments can be made that the IRS may not be acting in good faith when it seeks PHI, we need to be aware that the IRS may be considered, under certain circumstances, as a health oversight agency with which PHI may be shared without individual authorization. Covered entities should be careful not to argue that the IRS is never a health oversight agency - they may find out later that the knock on the door actually had a badge behind it.