Texas Works Handbook

C-1010, Clearance of IEVS Reports by the Office of Inspector General that Do Not Include IRS FTI

C-1011 OIG IEVS Process

Revision 21-4; Effective October 1, 2021

TANF, SNAP and Medicaid

The IEVS module within the Automated System for Office of Inspector General (ASOIG) automates the creation, distribution and clearance of IEVS matches for OIG staff. OIG staff review matches from certain IEVS worksheets (primarily Unemployment Insurance Benefits [UIB] and Wage) as a detection source to identify potential fraud, waste or abuse by current or former recipients. OIG uses the IEVS module to process and clear IEVS matches assigned to the OIG Program Integrity Intake unit within 45 days.

C-1012 Review the Case Record

Revision 21-4; Effective October 1, 2021

TANF, SNAP and Medicaid

When processing an IEVS match, OIG staff may review case data in Texas Integrated Eligibility Redesign System (TIERS) and the TIERS Historical Case Report (THCR) to determine application entries, interview responses, other eligibility factors and benefits issuance details and history.

OIG staff research the complete action that occurred before the relevant IEVS income date(s). If the information associated with the match is not found for the period in question in the most recent eligibility action, OIG staff review all actions from the period in question through the current action.

OIG staff may:

  • review Data Broker for sources of income by checking Texas Workforce Commission (TWC) Wage Detail, Unemployment Insurance Benefits (UIB) and the Employer New Hire Report (ENHR);
  • review other available sources of income information; and
  • document findings on the worksheet in the ASOIG IEVS module.

Related Policy

Employer New Hire Report (ENHR) and National Directory of New Hires (NDNH) Report, C-825.12
Texas Workforce Commission (TWC) Wage/Benefits, C-825.13

C-1013 Request Verification

Revision 21-4; Effective October 1, 2021

TANF, SNAP and Medicaid

OIG Benefits Program Integrity (BPI) staff request verification if the IEVS Match information on wages:

  • was not reported or budgeted correctly in TIERS; or
  • was budgeted in the case but the IEVS Match discrepancy amount for an individual employer is more than $300 per month or household income exceeds 130% of the federal poverty level (FPL).

In these situations, verification is required to determine if the income is ongoing and affects current benefits, the income causes an overpayment or both.
OIG BPI staff obtain verification by:

  • calling the employer;
  • accessing Data Broker; or
  • sending an OIG verification letter to the individual and payer.

OIG staff allow at least 10 days from the print date of the letter for the person or payer to provide verification. The request for verification letter informs the recipient that the information is needed because OIG is reviewing the case to determine if benefits were issued correctly.

C-1014 OIG IEVS Income Action Messages

Revision 21-4; Effective October 1, 2021

TANF, SNAP and Medical Programs (Except TP 40, TP 43, TP 44 and TP 48)

OIG staff may create an income action message in the ASOIG IEVS module for the Supplemental Nutrition Assistance Program (SNAP), Temporary Assistance for Needy Families (TANF) program and Medicaid programs, except for TP 40, TP 43, TP 44 and TP 48. The income action message alerts interview staff that more action may be necessary because available information indicates that income is ongoing or resources exist that may affect current eligibility or benefits.

OIG staff summarize findings in the comment section of the income action message. Customer Care Center (CCC) staff view detailed information regarding the income from the automated IEVS match worksheet within ASOIG.

There are three different types of action or information messages that OIG may create in the ASOIG IEVS module.

OIG creates a(n)...When...
Income Action Message

Note: Action messages created based on IRS FTI are limited to those matches with a source listed as "Self" or "Earn."
  • verifying whether a matched person’s ongoing income affects current eligibility or benefits for the household; or
  • the matched person fails to provide verification of ongoing income. (OIG creates an overpayment referral for the time period listed on the IEVS match if the worksheet indicates that resources affect prior eligibility.)
Resource Action Message
  • verifying whether a matched person’s resource affects current eligibility or benefits for the household (OIG completes overpayment referral, if appropriate); or
  • the matched person fails to provide verification of existing or ongoing resources. (OIG creates an overpayment referral for the time period listed on the IEVS worksheet if the matched resources affect prior eligibility.)
Resource Information Message
  • the matched person’s resource is ongoing and is under limit or inaccessible;
  • the matched person’s resource is ongoing, the TIERS case status as of the review date is ongoing denied; or
  • the matched person did not provide verification to OIG and TIERS case status as of the review date indicates ongoing denied.

OIG staff summarize findings in the TW Comments section of the IEVS worksheet. View detailed information regarding the person’s income, resources or both on the IEVS worksheet in the ASOIG IEVS module.

C-1020, Clearance of IEVS Reports by Texas Works Staff

C-1021 Reserved for Future Use

Revision 21-4; Effective October 1, 2021

C-1022 OIG IEVS Action Message Clearance Process

Revision 21-4; Effective October 1, 2021

TANF, SNAP and TP 08

Designated CCC staff conduct a daily review of the “MATCH TW Alert Details” in the ASOIG IEVS module and assign HHSC IEVS staff to review and take steps to clear each action message.

HHSC IEVS staff create a task to clear the action message for cases in TIERS within two business days of receiving the message. If these tasks are assigned to specific units, the unit supervisor or a designee (such as a clerk) assigns the task to the appropriate staff by the next business day following receipt. Staff must complete the change within 10 days after the date it is assigned. The date of assignment is day zero.

When an IEVS MATCH TW action message is generated based on IRS FTI, the action or resource message will be on a screen clearly labeled with an FTI warning. All information in the IEVS module containing FTI (such as payer name, account number or pay amounts) is considered IRS FTI. If staff print IEVS module worksheets, they must secure them according to IRS safeguard requirements.

Each worksheet with a message from OIG BPI will indicate the type of action required. OIG BPI staff process action messages if the household did not provide accurate information during the interview or application processing, or if the increase in income identified via IEVS caused the household income to exceed 130% Federal Poverty Level (FPL) for SNAP streamlined reporting (SR) households.

Upon receipt of an action message, HHSC IEVS staff must take the following action to clear the message based on the reason the message was issued.

If the ...then HHSC IEVS staff ...
verification provided to OIG BPI indicates income affects current eligibility,
  • send manual Form H1017, Notice of Benefit Denial or Reduction, to deny or reduce the benefits based on income or resources. If staff do not receive verification from OIG, then document that OIG has the verification. Copies of verification received by OIG may be provided to Texas Works staff upon request.
  • provide advance notice and process the denial or adjustment after the adverse action period expires.
person fails to provide verification to OIG BPI,
  • send a manual Form H1017 to deny the benefits for failure to provide the information. Note: A manual notice and denial is required because TIERS will not allow a denial for failure to provide information without previously issuing Form H1020, Request for Information or Action.
  • for Non-FTI Alerts: In the comments section, document the information the person failed to provide and what the person can do to re-establish eligibility as specified in the Form H1017 instructions. If the person fails to provide the requested information within the adverse action time frame, process the denial for failure to provide information.
  • for FTI Alerts: In the comments section, document the following message:
    • "You failed to provide information to the Office of Inspector General. Contact [OIG investigator's name] at [investigator's phone number] if you have questions. You may reapply for benefits and will be required to provide the information previously requested."
    • "Usted no presentó información a la Fiscalía General. Si tiene alguna pregunta, comuníquese con [OIG investigator's name] al [investigator's phone number]. Puede volver a solicitar beneficios, pero tendrá que presentar la información que se le pidió anteriormente."
  • if the person fails to provide the requested information within the adverse action time frame, manually process the denial for failure to provide information. Note: A manual notice and denial is required because TIERS will not allow a denial for failure to provide information without previously issuing Form H1020.
  • if verification is provided within the adverse action time frame, send an email to the OIG investigator notifying the investigator about receipt of the information and include a copy of the verification. Take action on the case based on the verification provided.

Notes:

  • The investigator's name and phone number are listed on the automated worksheet in the IEVS module.
  • If HHSC IEVS staff do not provide the case record within 10 days or upon OIG BPI request, OIG BPI staff will contact the regional director.

Additional Information Regarding IRS FTI MATCH TW Action Messages

If HHSC IEVS determines that the person does not have the resource or income for which OIG requested information, staff must request verification of the information (including IRS FTI) using a manual Form H1020, Request for Information or Action. If attaching a verification form, such as a bank verification form or Form H1028, Employment Verification, do not include any IRS FTI on the verification form. File the manual Form H1020 in the case record and secure the case according to the IRS safeguarding requirements, because the case record now contains IRS FTI.

When the person provides the information requested on the verification form, the information on the verification form is no longer considered IRS FTI. The file copy of Form H1020 remains IRS FTI and must be kept in the case record for the duration of the retention period.

When requesting more information that does not contain IRS FTI, staff may issue a second Form H1020 through TIERS or request the information on a manual Form H1020.

Note: If HHSC IEVS staff complete a manual Form H1020 because the only required verification is IRS FTI, TIERS will not allow a denial based on failure to provide verification, since Form H1020 was not generated via TIERS. Staff may generate Form H1020 indicating a manual Form H1020 was provided to the person. Do not provide the notice generated from TIERS to the person. Document the reason for generating an electronic pending notice in the case comments and reference the manual Form H1020 that was issued.

If the person fails to provide the information, issue a manual Form H1017 to deny the case for failure to provide information.

C-1023 Reserved for Future Use

Revision 21-4; Effective October 1, 2021

C-1024 Client Reapplies

Revision 21-4; Effective October 1, 2021

TANF, SNAP and TP 08

If a person reapplies after being denied for failure to provide information to OIG, interview staff must obtain the verification requested by OIG before recertifying the case. If the person indicates the verification was provided to OIG, contact the OIG investigator. Exception: If the person can reasonably explain why the requested information cannot be obtained or provided, use the best available information.

Note: For FTI-related information, if the person self-discloses the information on the application that was observed through an IEVS FTI action message, the information is no longer considered IRS FTI.

Related Policy

Questionable Information, C-920

C-1025 Appeals

Revision 21-4; Effective October 1, 2021

TANF, SNAP and TP 08

If staff receive a request for an appeal based on action taken by:

  • OIG, contact the OIG via the Benefits Program Integrity (BPI) mailbox on the same day the request is received.
  • Eligibility staff as a result of an action message, file the appeal. Complete Form H4800, Fair Hearing Request Summary, and Form H4800-A, Fair Hearing Request Summary (Addendum). On Form H4800-A, Section 2, Materials Attached, indicate under Other Related Materials, that action messages generated by OIG need to be considered in the appeal. Enter the OIG Investigator's name and phone number on Form H4800, indicating the OIG investigator as potential resource witness.

If OIG receives a request for an appeal based on action taken by eligibility staff, OIG will notify the Central Representation Unit (CRU) the same day. CRU will coordinate with the eligibility staff person who took the action based on the action message. If the appeal is related to an IRS FTI match, OIG may assist by providing more information to the hearing officer according to IRS requirements for safeguarding FTI.

C-1026 HHSC IEVS Information Message Review Process

Revision 21-4; Effective October 1, 2021

TANF, SNAP and TP 08

At the region's discretion, staff may contact HHSC IEVS staff to review the messages in the IEVS module before certification of benefits. Information messages serve as a case clue to eligibility staff to identify potential resources not reported by the person applying for benefits.

When a MATCH TW Message is generated based on IRS FTI, the action or resource message will be on a screen clearly labeled with an FTI warning. When based on an FTI match, consider all associated information on the IEVS module such as payer name, account number and pay amounts, as IRS FTI. While eligibility staff are not prohibited from printing IEVS module worksheets with MATCH TW Messages, staff must secure these worksheets per safeguarding requirements.

C-1030, Reversed for Future Use

Revision 21-4; Effective Oct. 1, 2021

C-1040, Reversed for Future Use

Revision 21-4; Effective October 1, 2021

C-1050, IRS FTI Security and Protection

Revision 24-3; Effective July 1, 2024

All Programs

Federal Tax Information (FTI) includes tax returns or return information received directly from the IRS or obtained through an authorized secondary source such as the Social Security Administration. Staff must protect digital and non-digital media containing FTI from unauthorized inspection and disclosure. Digital media includes a computer, mobile device and removable storage, such as CDs, DVDs and external hard drives. Non-digital media includes a paper form, report and log.

HHSC limits FTI access to staff whose duties require access. HHSC agency and non-agency staff access FTI physically and through the Automated System for Office of Inspector General (ASOIG). Staff must handle FTI using the following policies to ensure information does not become misplaced, stolen, or made available to unauthorized personnel.

TANF, SNAP and TP 08

HHSC IEVS staff must retain electronic IEVS worksheets for five years. Staff may log and destroy any printed IEVS module records using IRS safeguarding requirements once they are no longer needed because the electronic records are available and kept in ASOIG for the applicable retention period.

The following forms must be kept for five years from the date of the last entry on the form:

  • Form H1861, Federal Tax Information Record Keeping and Destruction Log;
  • Form H1862, Federal Tax Information Transmittal Memorandum;
  • Form H1863, Federal Tax Information Removal Log;
  • Form H1864, Federal Tax Information Fax Transmittal; and
  • Form H1866, Federal Tax Information Visitor Access Log.

C-1051 IRS FTI Security and Awareness Training

Revision 24-3; Effective July 1, 2024

All Programs

HHSC and non-HHSC staff who access or may potentially encounter FTI must take and pass the annual Safeguarding IRS Federal Tax Information training to receive and maintain their access permissions to ASOIG. HHSC staff access the training course under System Training Solutions (STS) in the Centralized Accounting and Payroll/Personnel System (CAPPS). Non-HHSC staff may contact the HHSC IRS Coordinator by email at the HHSC AES Federal Tax Info Training Mailbox to get a copy of the training.

HHSC developed the Safeguarding IRS Federal Tax Information training with role-based job aids as an agency resource for security and privacy awareness. HHSC updates this training on an annual basis to reflect any system and policy changes and address audit findings.

Upon completion of the Safeguarding IRS Federal Tax Information training, HHSC staff submit a confirmation of understanding in STS. The confirmation acknowledges staff completed a thorough review of the web-based training and job aids in the resources tab relevant to their professional role. Additionally, it confirms understanding of incident reporting requirements. STS maintains a record of completion for each employee. Non-HHSC staff must review a PDF version of the training, sign Form H4096, Safeguarding Information Certification, and submit the form to their management. The form confirms completion and understanding of the material within the training, as well as the penalties involved for any unauthorized inspection and disclosure of FTI. Non-HHSC management must maintain a copy of the Form H4096 in the employee’s file.

HHSC staff must also complete the HHS Information Security/Cybersecurity Awareness Training and the HHS Privacy Training within 30 days from their hire date and before accessing ASOIG. These trainings are available in STS in CAPPS.

C-1052 Accessing IRS FTI

Revision 24-3; Effective July 1, 2024

All Programs

HHSC and non-HHSC staff are prohibited from using personally owned media on agency systems or system components. Staff are also prohibited from using portable storage devices in agency systems when such devices have no identifiable owner.

HHSC and non-HHSC staff must adhere to policies and procedures for the handling and protection of FTI to prevent unauthorized access and disclosure. Failure to adhere to the policies or procedures will result in disciplinary action, including warnings, access suspension, permanent access removal or termination.

HHSC and non-HHSC management notify their staff within 72 hours when the formal employee sanction process is initiated. The notification includes the staff member sanctioned and the reason for the sanction.

HHSC and non-HHSC management must remove system and physical access when their staff transfer or are reassigned to a position that no longer requires ongoing operational need to access FTI. HHSC and non-HHSC management submit a modified access request within 24 hours of the transfer or reassignment.

HHSC and non-HHSC management must remove system and physical access and discuss information security during an exit interview when employment is terminated. HHSC and non-HHSC management submit a modified access request within 24 hours of the termination.

Work areas where staff physically access FTI should be limited to authorized personnel only. These areas must be prominently posted and separated from non-restricted areas by physical barriers that control access. FTI must be secured during and after normal operating hours. Staff accessing secured areas must clearly display a picture identification badge. The badge may not be obstructed and must be displayed above the waist.

Staff responsible for protecting access to FTI must mark system media containing FTI to show the distribution limitations, handling caveats and applicable security markings, if any. Additionally, staff responsible for protecting access to FTI must physically control and securely store media containing FTI within agency-controlled areas. Protect system media until it is sanitized or disposed of using approved equipment and methods.

C-1052.1 Minimum Protection Standards

Revision 24-3; Effective July 1, 2024

All Programs

Minimum protection standards (MPS) require the agency to use at least two barriers to protect FTI from unauthorized access. These barriers include a combination of secured perimeters, security rooms, badged employees and security containers.

  • Secured Perimeters are enclosed by slab-to-slab walls constructed of durable materials and supplemented by periodic inspection. Any lesser-type partition must be supplemented by electronic intrusion detection and fire detection systems. All doors entering the space must be locked per Locking Systems for Secured Areas. In the case of a fence or gate, the fence must have intrusion detection devices or be continually guarded. The gate must be either guarded or locked with intrusion alarms.
  • Security Rooms are constructed to resist forced entry. The entire room must be enclosed by slab-to-slab walls constructed of approved materials, such as masonry brick or concrete, and supplemented by periodic inspection. Door hinge pins must be non-removable or installed on the inside of the room. Access must be limited to specifically authorized personnel.
  • Badged Employees can serve as the second barrier during business hours between FTI and unauthorized persons. The authorized personnel must wear picture identification badges or credentials. The badge must be clearly displayed and worn above the waist.
  • Security Containers are storage devices, such as turtle cases, safes, vaults or locked IT cabinets, with resistance to forced penetration and a security lock with controlled access to keys or combinations.

C-1052.2 Locking Mechanisms

Revision 24-3; Effective July 1, 2024

All Programs

All buildings, rooms and containers containing FTI must be locked when not in actual use. Key or combination locking mechanisms may secure FTI. Staff not authorized to access FTI may have a key to the building but not the secured room. This includes unauthorized agency staff, contractors, security personnel, custodial staff and landlords.

The following guidelines apply to key locking mechanisms:

  • The number of keys must be kept to a minimum.
  • Only authorized staff can access the secured area.
  • The unauthorized duplication of keys is prohibited.
  • Keys must be returned before departure for staff who retire, terminate employment or transfer to another position.
  • Management must conduct annual reconciliation of key records.

The following rules apply to combination locking mechanisms:

  • The combination is only shared with authorized staff.
  • The unauthorized disclosure of the combination is prohibited.

Management must change the combination at least annually or upon departure of staff that retire, terminate employment, or transfer to another position.

C-1052.3 Authorized Access, Visitor Access, and Authorized Personnel Lists

Revision 24-3; Effective July 1, 2024

All Programs

HHSC must maintain a visitor log and authorized access list (AAL) to record access to physical work areas containing FTI. Staff maintain Form H1866 as a record of visitor access to a restricted area. Security staff must validate a visitor’s identity by examining a government-issued identification, such as state issued identification, driver’s license or passport. An AAL is maintained and MPS enforced to facilitate the entry of staff who have a frequent and continuing need to enter a restricted area but who are not assigned to the area. The AAL must contain the following:

  • name of employee, vendor, contractor or non-agency personnel;
  • name of agency or department;
  • name and phone number of the agency point-of-contact authorizing access;
  • address of agency, vendor or contractor; and
  • purpose and level of access.

HHSC management must review the AAL monthly or upon potential indication of an event such as a security breach or personnel change. HHSC management must maintain an authorized personnel list of all staff who have access to information systems areas containing FTI.

C-1052.4 Access Control Systems

Revision 24-3; Effective July 1, 2024

All Programs

Access control systems, such as badge readers, smart cards or biometrics, that provide the capability to audit access control attempts, must maintain access control logs with successful and failed access attempts to secured areas containing FTI or systems that process FTI. Management must review access control logs monthly. Access control logs must contain the following information for each access request:

  • the name of the access control device owner;
  • the success or failure of the access request; and
  • the date and time of the access request.

C-1053 Transporting IRS FTI

Revision 24-3; Effective July 1, 2024

All Programs

Staff must transport media containing FTI to prevents loss or unauthorized disclosure. The IRS prohibits staff from transmitting FTI by agency email systems, Microsoft Teams or by phone. Staff must not use HHSC email addresses to send confidential or agency-sensitive information to personal email addresses.

Staff must secure computers and electronic media that receive, process, store, access, protect or transmit FTI in an area with restricted access. The agency must use encryption mechanisms on all computers and mobile devices that contain FTI to prevent access if lost or stolen. Staff must label removable media containing FTI.

Authorized staff must keep all computers, electronic media and removable storage containing FTI in their immediate protection and control during use. When not in use, authorized staff must secure the device in the proper storage area or container. Staff may not leave devices unattended in a public area. HHSC management must maintain inventory records of computers, electronic devices and removable media and complete a semi-annual review for control and accountability.

C-1053.1 In-Person Transport

Revision 24-3; Effective July 1, 2024

All Programs

Staff transporting media containing FTI must always keep it in their possession. Never leave FTI unattended in a public setting. Use Form H1863 when removing FTI from a file and retain the form for five years from the last FTI removal indicated.

For office relocations, ensure plans include the proper protection and accountability of all FTI. Staff must lock FTI in cabinets or sealed packing cartons while in transit. HHSC staff maintain custody of FTI to ensure cabinets or cartons containing FTI are not misplaced or lost in transit.

C-1053.2 Mail or Courier Transport

Revision 24-3; Effective July 1, 2024

All Programs

Double seal all FTI transported through the mail by sealing one envelope within another envelope. On the inner envelope, staff must mark Confidential with some indication that only the designated recipient is authorized to open it. Do not label the outermost envelope as FTI or provide any indication that it contains FTI. Use Form H1862 when mailing all paper documents that contain IRS data. The sender ensures the receiver acknowledges the receipt of the information.

C-1053.3 Fax Transport

Revision 24-3; Effective July 1, 2024

All Programs

Fax machines must be placed in a secure area and staff should refrain from faxing FTI, when possible. There must be trusted staff at both the sending and receiving fax machines. When faxing is required, staff must use Form H1864. The form must accompany all faxed documents that contain IRS data when transferred from one office to another or from an office to a banking institution for verification purposes. The sender ensures the receiver acknowledges the receipt of the information and retains this form for five years.

C-1054 IRS FTI Sanitation

Revision 24-3; Effective July 1, 2024

All Programs

The sanitization process removes FTI from media to ensure the information cannot be retrieved or reconstructed. Examples include but are not limited to digital media found in scanners, copiers, printers, computers, network components, mobile devices, and non-digital media such as paper and microfilm. Staff must use agency-approved software and methods for sanitizing FTI. The following are acceptable sanitization methods:

  • Clearing protects the confidentiality of information against a robust keyboard attack. Simple deletion of items is not sufficient. Clearing must not allow information to be retrieved by data, disk or file recovery utilities. It must be resistant to keystroke recovery attempts. Overwriting is an example of an acceptable clearing method.
  • Purging protects the confidentiality of information against a laboratory attack. This type of attack involves using signal processing equipment and specially trained personnel. Examples of acceptable purging methods are degaussing by destabilizing a device’s magnetic field and for ATA drives only executing the firmware Secure Erase command.

HHSC must maintain sanitization records which include the:

  • control number, file name and contents, or both for each record;
  • total number of records;
  • date and method of sanitation; and
  • date of sanitization verification.

C-1055 IRS FTI Destruction

Revision 24-3; Effective July 1, 2024

All Programs

The destruction process ensures that media with FTI cannot be reused as originally intended. Examples include but are not limited to disintegration, incineration, pulverizing, shredding and melting. Staff use Form H1861 to record and track the destruction of FTI. If non-HHSC staff destroy FTI, an HHSC employee must witness the destruction. Staff must use the following approved destruction methods for destroying FTI:

  • Incinerators certified to produce enough heat to burn the entire bundle. If the incinerator cannot burn the entire bundle, separate the pages to ensure all materials are incinerated.
  • Shredders producing crosscut particles which are a maximum of 1 mm by 5 mm or 0.04 inches by 0.2 inches. If shredding deviates from these specifications, then the FTI must be safeguarded until it reaches the stage where it is rendered unreadable through additional means, such as burning or pulping.
  • Disintegrator or Pulverizer equipped with a 2.4-mm or 3/32-inch security screen.

HHSC must maintain destruction records which include the:

  • date the records were received;
  • control number, file name and contents, or both for each record;
  • name of the person receiving the records;
  • total number of records, if available;
  • movement of records from receipt to destruction; and
  • date and method of destruction.

C-1060, Reporting IRS FTI Security Incidents

Revision 24-3; Effective July 1, 2024

All Programs

FTI security incidents include loss of control, unauthorized access, unauthorized disclosure or unauthorized inspection. Upon discovering an actual or possible compromise of IRS FTI or an unauthorized inspection or disclosure of IRS FTI, including breaches and security incidents, the person observing or receiving the information must immediately contact the HHSC IRS coordinator within 24 hours of initial discovery. Send a secure email with the subject line, Urgent: FTI Data Incident Report to the HHSC IRS Coordinator Mailbox.

The HHSC IRS Coordinator reports the incident by:

  • contacting the office of the appropriate special agent-in-charge, Treasury Inspector General for Tax Administration (TIGTA); and
  • following the IRS Office of Safeguards, as directed in Section 10.2 of IRS Publication 1075.

In the event the HHSC IRS coordinator fails to respond by the close of the next business day, staff immediately inform management by sending an email with the subject line, Urgent – Possible Unauthorized Disclosure or Inspection of FTI to HHSC Offices for Information Technology, Privacy Division, Chief Information Security Office and IRS coordinator.

Examples of FTI security incidents include but are not limited to:

  • leaving an agency computer or laptop with FTI unlocked and unattended;
  • leaving a file cabinet with FTI unlocked;
  • allowing contract IT Help Desk support access to an agency device with FTI while the user is accessing ASOIG;
  • printing FTI on Xerox Multi-Factor Office Devices;
  • allowing unmonitored contractor access to an FTI hardware server;
  • discussing FTI on a Voice over Internet Protocol (VoIP) phone with people or other agency employees;
  • viewing FTI remotely without approval;
  • sending screenshots of FTI data from the ASOIG application;
  • screensharing FTI during virtual meetings, which includes meetings conducted through Microsoft Teams, Zoom, Go To Meeting, Webex and Google Meet; and
  • stealing or losing laptop computers, removable devices or non-digital media containing FTI.

Related Policy

Reporting Unauthorized Inspection or Disclosure of Social Security Administration-Provided Information, B-1250

C-1061 Penalties for Disclosing FTI

Revision 24-3; Effective July 1, 2024

All Programs

People responsible for the willful unauthorized inspection or disclosure of FTI may be subject to criminal and civil penalties in addition to disciplinary action. Security incidents may also result in temporary or permanent suspension from ASOIG access.

Criminal penalties for willful unauthorized inspection of FTI are:

  • a fine up to $1,000; and
  • one year in prison, together with the costs of prosecution.

Criminal penalties for willful unauthorized disclosure of FTI are:

  • a fine up to $5,000; and
  • up to five years in prison, together with the costs of prosecution.

Civil penalties for willful unauthorized inspection or disclosure of FTI are:

  • the greater of $1,000 or actual damages for each incident; and
  • court costs and attorney fees to the plaintiff.