Revision 24-3; Effective July 1, 2024

All Programs

Federal Tax Information (FTI) includes tax returns or return information received directly from the IRS or obtained through an authorized secondary source such as the Social Security Administration. Staff must protect digital and non-digital media containing FTI from unauthorized inspection and disclosure. Digital media includes a computer, mobile device and removable storage, such as CDs, DVDs and external hard drives. Non-digital media includes a paper form, report and log.

HHSC limits FTI access to staff whose duties require access. HHSC agency and non-agency staff access FTI physically and through the Automated System for Office of Inspector General (ASOIG). Staff must handle FTI using the following policies to ensure information does not become misplaced, stolen, or made available to unauthorized personnel.

TANF, SNAP and TP 08

HHSC IEVS staff must retain electronic IEVS worksheets for five years. Staff may log and destroy any printed IEVS module records using IRS safeguarding requirements once they are no longer needed because the electronic records are available and kept in ASOIG for the applicable retention period.

The following forms must be kept for five years from the date of the last entry on the form:

  • Form H1861, Federal Tax Information Record Keeping and Destruction Log;
  • Form H1862, Federal Tax Information Transmittal Memorandum;
  • Form H1863, Federal Tax Information Removal Log;
  • Form H1864, Federal Tax Information Fax Transmittal; and
  • Form H1866, Federal Tax Information Visitor Access Log.

C-1051 IRS FTI Security and Awareness Training

Revision 24-3; Effective July 1, 2024

All Programs

HHSC and non-HHSC staff who access or may potentially encounter FTI must take and pass the annual Safeguarding IRS Federal Tax Information training to receive and maintain their access permissions to ASOIG. HHSC staff access the training course under System Training Solutions (STS) in the Centralized Accounting and Payroll/Personnel System (CAPPS). Non-HHSC staff may contact the HHSC IRS Coordinator by email at the HHSC AES Federal Tax Info Training Mailbox to get a copy of the training.

HHSC developed the Safeguarding IRS Federal Tax Information training with role-based job aids as an agency resource for security and privacy awareness. HHSC updates this training on an annual basis to reflect any system and policy changes and address audit findings.

Upon completion of the Safeguarding IRS Federal Tax Information training, HHSC staff submit a confirmation of understanding in STS. The confirmation acknowledges staff completed a thorough review of the web-based training and job aids in the resources tab relevant to their professional role. Additionally, it confirms understanding of incident reporting requirements. STS maintains a record of completion for each employee. Non-HHSC staff must review a PDF version of the training, sign Form H4096, Safeguarding Information Certification, and submit the form to their management. The form confirms completion and understanding of the material within the training, as well as the penalties involved for any unauthorized inspection and disclosure of FTI. Non-HHSC management must maintain a copy of the Form H4096 in the employee’s file.

HHSC staff must also complete the HHS Information Security/Cybersecurity Awareness Training and the HHS Privacy Training within 30 days from their hire date and before accessing ASOIG. These trainings are available in STS in CAPPS.

C-1052 Accessing IRS FTI

Revision 24-3; Effective July 1, 2024

All Programs

HHSC and non-HHSC staff are prohibited from using personally owned media on agency systems or system components. Staff are also prohibited from using portable storage devices in agency systems when such devices have no identifiable owner.

HHSC and non-HHSC staff must adhere to policies and procedures for the handling and protection of FTI to prevent unauthorized access and disclosure. Failure to adhere to the policies or procedures will result in disciplinary action, including warnings, access suspension, permanent access removal or termination.

HHSC and non-HHSC management notify their staff within 72 hours when the formal employee sanction process is initiated. The notification includes the staff member sanctioned and the reason for the sanction.

HHSC and non-HHSC management must remove system and physical access when their staff transfer or are reassigned to a position that no longer requires ongoing operational need to access FTI. HHSC and non-HHSC management submit a modified access request within 24 hours of the transfer or reassignment.

HHSC and non-HHSC management must remove system and physical access and discuss information security during an exit interview when employment is terminated. HHSC and non-HHSC management submit a modified access request within 24 hours of the termination.

Work areas where staff physically access FTI should be limited to authorized personnel only. These areas must be prominently posted and separated from non-restricted areas by physical barriers that control access. FTI must be secured during and after normal operating hours. Staff accessing secured areas must clearly display a picture identification badge. The badge may not be obstructed and must be displayed above the waist.

Staff responsible for protecting access to FTI must mark system media containing FTI to show the distribution limitations, handling caveats and applicable security markings, if any. Additionally, staff responsible for protecting access to FTI must physically control and securely store media containing FTI within agency-controlled areas. Protect system media until it is sanitized or disposed of using approved equipment and methods.

C-1052.1 Minimum Protection Standards

Revision 24-3; Effective July 1, 2024

All Programs

Minimum protection standards (MPS) require the agency to use at least two barriers to protect FTI from unauthorized access. These barriers include a combination of secured perimeters, security rooms, badged employees and security containers.

  • Secured Perimeters are enclosed by slab-to-slab walls constructed of durable materials and supplemented by periodic inspection. Any lesser-type partition must be supplemented by electronic intrusion detection and fire detection systems. All doors entering the space must be locked per Locking Systems for Secured Areas. In the case of a fence or gate, the fence must have intrusion detection devices or be continually guarded. The gate must be either guarded or locked with intrusion alarms.
  • Security Rooms are constructed to resist forced entry. The entire room must be enclosed by slab-to-slab walls constructed of approved materials, such as masonry brick or concrete, and supplemented by periodic inspection. Door hinge pins must be non-removable or installed on the inside of the room. Access must be limited to specifically authorized personnel.
  • Badged Employees can serve as the second barrier during business hours between FTI and unauthorized persons. The authorized personnel must wear picture identification badges or credentials. The badge must be clearly displayed and worn above the waist.
  • Security Containers are storage devices, such as turtle cases, safes, vaults or locked IT cabinets, with resistance to forced penetration and a security lock with controlled access to keys or combinations.

C-1052.2 Locking Mechanisms

Revision 24-3; Effective July 1, 2024

All Programs

All buildings, rooms and containers containing FTI must be locked when not in actual use. Key or combination locking mechanisms may secure FTI. Staff not authorized to access FTI may have a key to the building but not the secured room. This includes unauthorized agency staff, contractors, security personnel, custodial staff and landlords.

The following guidelines apply to key locking mechanisms:

  • The number of keys must be kept to a minimum.
  • Only authorized staff can access the secured area.
  • The unauthorized duplication of keys is prohibited.
  • Keys must be returned before departure for staff who retire, terminate employment or transfer to another position.
  • Management must conduct annual reconciliation of key records.

The following rules apply to combination locking mechanisms:

  • The combination is only shared with authorized staff.
  • The unauthorized disclosure of the combination is prohibited.

Management must change the combination at least annually or upon departure of staff that retire, terminate employment, or transfer to another position.

C-1052.3 Authorized Access, Visitor Access, and Authorized Personnel Lists

Revision 24-3; Effective July 1, 2024

All Programs

HHSC must maintain a visitor log and authorized access list (AAL) to record access to physical work areas containing FTI. Staff maintain Form H1866 as a record of visitor access to a restricted area. Security staff must validate a visitor’s identity by examining a government-issued identification, such as state issued identification, driver’s license or passport. An AAL is maintained and MPS enforced to facilitate the entry of staff who have a frequent and continuing need to enter a restricted area but who are not assigned to the area. The AAL must contain the following:

  • name of employee, vendor, contractor or non-agency personnel;
  • name of agency or department;
  • name and phone number of the agency point-of-contact authorizing access;
  • address of agency, vendor or contractor; and
  • purpose and level of access.

HHSC management must review the AAL monthly or upon potential indication of an event such as a security breach or personnel change. HHSC management must maintain an authorized personnel list of all staff who have access to information systems areas containing FTI.

C-1052.4 Access Control Systems

Revision 24-3; Effective July 1, 2024

All Programs

Access control systems, such as badge readers, smart cards or biometrics, that provide the capability to audit access control attempts, must maintain access control logs with successful and failed access attempts to secured areas containing FTI or systems that process FTI. Management must review access control logs monthly. Access control logs must contain the following information for each access request:

  • the name of the access control device owner;
  • the success or failure of the access request; and
  • the date and time of the access request.

C-1053 Transporting IRS FTI

Revision 24-3; Effective July 1, 2024

All Programs

Staff must transport media containing FTI to prevents loss or unauthorized disclosure. The IRS prohibits staff from transmitting FTI by agency email systems, Microsoft Teams or by phone. Staff must not use HHSC email addresses to send confidential or agency-sensitive information to personal email addresses.

Staff must secure computers and electronic media that receive, process, store, access, protect or transmit FTI in an area with restricted access. The agency must use encryption mechanisms on all computers and mobile devices that contain FTI to prevent access if lost or stolen. Staff must label removable media containing FTI.

Authorized staff must keep all computers, electronic media and removable storage containing FTI in their immediate protection and control during use. When not in use, authorized staff must secure the device in the proper storage area or container. Staff may not leave devices unattended in a public area. HHSC management must maintain inventory records of computers, electronic devices and removable media and complete a semi-annual review for control and accountability.

C-1053.1 In-Person Transport

Revision 24-3; Effective July 1, 2024

All Programs

Staff transporting media containing FTI must always keep it in their possession. Never leave FTI unattended in a public setting. Use Form H1863 when removing FTI from a file and retain the form for five years from the last FTI removal indicated.

For office relocations, ensure plans include the proper protection and accountability of all FTI. Staff must lock FTI in cabinets or sealed packing cartons while in transit. HHSC staff maintain custody of FTI to ensure cabinets or cartons containing FTI are not misplaced or lost in transit.

C-1053.2 Mail or Courier Transport

Revision 24-3; Effective July 1, 2024

All Programs

Double seal all FTI transported through the mail by sealing one envelope within another envelope. On the inner envelope, staff must mark Confidential with some indication that only the designated recipient is authorized to open it. Do not label the outermost envelope as FTI or provide any indication that it contains FTI. Use Form H1862 when mailing all paper documents that contain IRS data. The sender ensures the receiver acknowledges the receipt of the information.

C-1053.3 Fax Transport

Revision 24-3; Effective July 1, 2024

All Programs

Fax machines must be placed in a secure area and staff should refrain from faxing FTI, when possible. There must be trusted staff at both the sending and receiving fax machines. When faxing is required, staff must use Form H1864. The form must accompany all faxed documents that contain IRS data when transferred from one office to another or from an office to a banking institution for verification purposes. The sender ensures the receiver acknowledges the receipt of the information and retains this form for five years.

C-1054 IRS FTI Sanitation

Revision 24-3; Effective July 1, 2024

All Programs

The sanitization process removes FTI from media to ensure the information cannot be retrieved or reconstructed. Examples include but are not limited to digital media found in scanners, copiers, printers, computers, network components, mobile devices, and non-digital media such as paper and microfilm. Staff must use agency-approved software and methods for sanitizing FTI. The following are acceptable sanitization methods:

  • Clearing protects the confidentiality of information against a robust keyboard attack. Simple deletion of items is not sufficient. Clearing must not allow information to be retrieved by data, disk or file recovery utilities. It must be resistant to keystroke recovery attempts. Overwriting is an example of an acceptable clearing method.
  • Purging protects the confidentiality of information against a laboratory attack. This type of attack involves using signal processing equipment and specially trained personnel. Examples of acceptable purging methods are degaussing by destabilizing a device’s magnetic field and for ATA drives only executing the firmware Secure Erase command.

HHSC must maintain sanitization records which include the:

  • control number, file name and contents, or both for each record;
  • total number of records;
  • date and method of sanitation; and
  • date of sanitization verification.

C-1055 IRS FTI Destruction

Revision 24-3; Effective July 1, 2024

All Programs

The destruction process ensures that media with FTI cannot be reused as originally intended. Examples include but are not limited to disintegration, incineration, pulverizing, shredding and melting. Staff use Form H1861 to record and track the destruction of FTI. If non-HHSC staff destroy FTI, an HHSC employee must witness the destruction. Staff must use the following approved destruction methods for destroying FTI:

  • Incinerators certified to produce enough heat to burn the entire bundle. If the incinerator cannot burn the entire bundle, separate the pages to ensure all materials are incinerated.
  • Shredders producing crosscut particles which are a maximum of 1 mm by 5 mm or 0.04 inches by 0.2 inches. If shredding deviates from these specifications, then the FTI must be safeguarded until it reaches the stage where it is rendered unreadable through additional means, such as burning or pulping.
  • Disintegrator or Pulverizer equipped with a 2.4-mm or 3/32-inch security screen.

HHSC must maintain destruction records which include the:

  • date the records were received;
  • control number, file name and contents, or both for each record;
  • name of the person receiving the records;
  • total number of records, if available;
  • movement of records from receipt to destruction; and
  • date and method of destruction.