Revision 24-3; Effective Sept. 1, 2024
Records must be safeguarded. Use reasonable diligence to protect and preserve records and to prevent disclosure of the information they contain except as provided by HHS regulations.
Reasonable diligence for employees responsible for records includes always keeping records:
- in a locked office when the building is closed;
- properly filed during office hours;
- in the office except when authorized to remove or transfer them; and
- per the guidelines for electronic file information as referenced in the HHS Computer Usage and Information Security training.
In addition to the measures for custody of records, use the following to safeguard tape match data obtained through the Income Eligibility and Verification System (IEVS) module within the Automated System of Office of Inspector General (ASOIG) application:
- Use IEVS data only for the purpose of determining eligibility for MEPD, Medicare Savings Program (MSP), Medical Assistance, Temporary Assistance for Needy Families (TANF) and Supplemental Nutrition Assistance Program (SNAP) benefits.
- Verify IEVS tax data before taking adverse case actions.
- Review the Annual Safeguarding IRS Federal Tax Information training and the following three laws that explain criminal and civil penalties for unauthorized disclosure of tax data once a year:
- Section 7213 – Unauthorized Disclosure of Returns or Return Information, a criminal felony punishable upon conviction by a fine up to $5,000 not including the cost of prosecution, imprisonment for up to five years or both.
- Section 7213A – Unauthorized Inspection of Returns or Return Information, a criminal misdemeanor punishable upon conviction by a fine up to $1,000 not including the cost of prosecution, imprisonment for up to one year or both.
- Section 7431 – Civil Damages for Unauthorized Disclosure of Returns and Return Information, which permits a taxpayer to sue for civil damages if a person knowingly or negligently discloses tax return information and upon conviction, a notification to the taxpayer.
Related Policy
Custody of Records, C-2300
System Generated IEVS Worksheet Legends of IRS Tax Data, Appendix XVII
IRS Tax Code, Sections 7213, 7213A and 7431, Appendix XVIII
C-2410 Accessing IRS FTI
Revision 24-3; Effective Sept. 1, 2024
All Programs
HHSC and non-HHSC staff are prohibited from using personally owned media on agency systems or system components. Staff are also prohibited from using portable storage devices in agency systems when such devices have no identifiable owner.
HHSC and non-HHSC staff must adhere to policies and procedures for the handling and protection of FTI to prevent unauthorized access and disclosure. Failure to adhere to the policies or procedures will result in disciplinary action, including warnings, access suspension, permanent access removal or termination.
HHSC and non-HHSC management notify their staff within 72 hours when the formal employee sanction process is initiated. The notification includes the staff member sanctioned and the reason for the sanction.
HHSC and non-HHSC management must remove system and physical access when their staff transfer or are reassigned to a position that no longer requires ongoing operational need to access FTI. HHSC and non-HHSC management submit a modified access request within 24 hours of the transfer or reassignment.
HHSC and non-HHSC management must remove system and physical access and discuss information security during an exit interview when employment is terminated. HHSC and non-HHSC management submit a modified access request within 24 hours of the termination.
Work areas where staff physically access FTI should be limited to authorized personnel only. These areas must be prominently posted and separated from non-restricted areas by physical barriers that control access. FTI must be secured during and after normal operating hours. Staff accessing secured areas must clearly display a picture identification badge. The badge may not be obstructed and must be displayed above the waist.
Staff responsible for protecting access to FTI must mark system media containing FTI to show the distribution limitations, handling caveats and applicable security markings, if any. Additionally, staff responsible for protecting access to FTI must physically control and securely store media containing FTI within agency-controlled areas. Protect system media until it is sanitized or disposed of using approved equipment and methods.
C-2411 Minimum Protection Standards
Revision 24-3; Effective Sept. 1, 2024
All Programs
Minimum protection standards (MPS) require the agency to use at least two barriers to protect FTI from unauthorized access. These barriers include a combination of secured perimeters, security rooms, badged employees and security containers.
- Secured Perimeters are enclosed by slab-to-slab walls constructed of durable materials and supplemented by periodic inspection. Any lesser-type partition must be supplemented by electronic intrusion detection and fire detection systems. All doors entering the space must be locked per Locking Systems for Secured Areas. In the case of a fence or gate, the fence must have intrusion detection devices or be continually guarded. The gate must be either guarded or locked with intrusion alarms.
- Security Rooms are constructed to resist forced entry. The entire room must be enclosed by slab-to-slab walls constructed of approved materials, such as masonry brick or concrete, and supplemented by periodic inspection. Door hinge pins must be non-removable or installed on the inside of the room. Access must be limited to specifically authorized personnel.
- Badged Employees can serve as the second barrier during business hours between FTI and unauthorized persons. The authorized personnel must wear picture identification badges or credentials. The badge must be clearly displayed and worn above the waist.
- Security Containers are storage devices, such as turtle cases, safes, vaults or locked IT cabinets, with resistance to forced penetration and a security lock with controlled access to keys or combinations.
C-2412 Locking Mechanisms
Revision 24-3; Effective Sept. 1, 2024
All Programs
All buildings, rooms and containers containing FTI must be locked when not in actual use. Key or combination locking mechanisms may secure FTI. Staff not authorized to access FTI may have a key to the building but not the secured room. This includes unauthorized agency staff, contractors, security personnel, custodial staff and landlords.
The following guidelines apply to key locking mechanisms:
- The number of keys must be kept to a minimum.
- Only authorized staff can access the secured area.
- The unauthorized duplication of keys is prohibited.
- Keys must be returned before departure for staff who retire, terminate employment or transfer to another position.
- Management must conduct annual reconciliation of key records.
The following rules apply to combination locking mechanisms:
- The combination is only shared with authorized staff.
- The unauthorized disclosure of the combination is prohibited.
- Management must change the combination at least annually or upon departure of staff that retire, terminate employment or transfer to another position.
C—2413 Authorized Access, Visitor Access and Authorized Personnel Lists
Revision 24-3; Effective Sept. 1, 2024
All Programs
HHSC must maintain a visitor log and authorized access list (AAL) to record access to physical work areas containing FTI. Staff maintain Form H1866 as a record of visitor access to a restricted area. Security staff must validate a visitor’s identity by examining a government-issued identification, such as a state-issued identification, driver’s license or passport. An AAL is maintained and MPS enforced to facilitate the entry of staff who have a frequent and continuing need to enter a restricted area but who are not assigned to the area. The AAL must contain the following:
- name of employee, vendor, contractor or non-agency personnel;
- name of agency or department;
- name and phone number of the agency point-of-contact authorizing access;
- address of agency, vendor or contractor; and
- purpose and level of access.
HHSC management must review the AAL monthly or upon potential indication of an event such as a security breach or personnel change. HHSC management must maintain an authorized personnel list of all staff who have access to information systems areas containing FTI.
C-2414 Access Control Systems
Revision 24-3; Effective Sept. 1, 2024
All Programs
Access control systems such as badge readers, smart cards or biometrics, that provide the capability to audit access control attempts must maintain access control logs with successful and failed access attempts to secured areas containing FTI or systems that process FTI. Management must review access control logs monthly. Access control logs must contain the following information for each access request:
- the name of the access control device owner;
- the success or failure of the access request; and
- the date and time of the access request.
C-2420 Transporting IRS FTI
Revision 24-3; Effective Sept. 1, 2024
All Programs
Staff must transport media containing FTI in a way that prevents loss or unauthorized disclosure. The IRS prohibits staff from transmitting FTI by agency email systems, Microsoft Teams or by phone. Staff must not use HHSC email addresses to send confidential or agency-sensitive information to personal email addresses.
Staff must secure computers and electronic media that receive, process, store, access, protect or transmit FTI in an area with restricted access. The agency must use encryption mechanisms on all computers and mobile devices that contain FTI to prevent access if lost or stolen. Staff must label removable media containing FTI.
Authorized staff must keep all computers, electronic media and removable storage containing FTI in their immediate protection and control during use. When not in use, authorized staff must secure the device in the proper storage area or container. Staff may not leave devices unattended in a public area. HHSC management must maintain inventory records of computers, electronic devices and removable media and complete a semi-annual review for control and accountability.
C-2421 In-Person Transport
Revision 24-3; Effective Sept. 1, 2024
All Programs
Staff transporting media containing FTI must always keep it in their possession. Never leave FTI unattended in a public setting. Use Form H1863 when removing FTI from a file and retain the form for five years from the last FTI removal indicated.
For office relocations, ensure plans include the proper protection and accountability of all FTI. Staff must lock FTI in cabinets or sealed packing cartons while in transit. HHSC staff maintain custody of FTI to ensure cabinets or cartons containing FTI are not misplaced or lost in transit.
C-2422 Mail or Courier Transport
Revision 24-3; Effective Sept. 1, 2024
All Programs
Double seal all FTI transported through the mail by sealing one envelope within another envelope. On the inner envelope, staff must mark Confidential to indicate that only the designated recipient is authorized to open it. Do not label the outermost envelope as FTI or provide any indication that it contains FTI. Use Form H1862 when mailing all paper documents that contain IRS data. The sender ensures the receiver acknowledges the receipt of the information.
C-2423 Fax Transport
Revision 24-3; Effective Sept. 1, 2024
All Programs
Fax machines must be placed in a secure area and staff should refrain from faxing FTI, when possible. There must be trusted staff at both the sending and receiving fax machines. When faxing is required, staff must use Form H1864. The form must accompany all faxed documents that contain IRS data when transferred from one office to another or from an office to a banking institution for verification purposes. The sender ensures the receiver acknowledges the receipt of the information and retains this form for five years.