Identity Problems

Will the government be up to the task of vetting and protecting the shared medical records required by ObamaCare?

Via the TaxProf Blog comes word of a new IRS report suggesting that if the IRS is any guide, the answer may be no. Thanks to identity “borrowing,” it appears that even the IRS has problems determining who is earning what. The report notes that of the 3 million returns filed using individual tax identification numbers (ITIN) in 2007, “[a]bout 1.2 million returns reported wages earned by ITIN taxpayers using another person’s SSN [social security number].”

At present, the IRS does not distinguish between legitimate and illegitimate users of a social security number (SSN). If someone uses someone else’s SSN and fails to pay taxes on the income, then the IRS tries to collect from the legitimate holder of the SSN. Collection actions for taxes on income that someone never earned can include seizure and sale of any type of real or personal property.

Or, as the bureaucracy puts it, “income matching associated with individual taxpayer identification numbers presents many challenges to tax administration.”

Understanding the relatively simple problems that face the IRS gives insight into the much bigger problems that will face any health bureaucracy. The IRS must distinguish employers from individuals because they are subject to different requirements. Furthermore, not everyone who owes taxes is eligible for a social security number. As a result, people may report income using a social security number (SSN), an individual taxpayer identification number (ITIN), or an employer identification number (EIN).

The report discusses a set of 96 returns from 2007. Of these, 4 were filed using an ITIN, but the return reported W-2 wages under another person’s name and SSN. The name on the W-2 matched the legitimate owner of the SSN, but not the name on the ITIN tax return.

In cases like this, the IRS says that it cannot match the income to the person earning it. Instead it matches the income to the taxpayer legally assigned the SSN. The legitimate owner of the SSN may or may not know that he owes taxes on income he didn’t earn and the IRS has no procedures for notifying him about the mismatch. In 2007, the IRS figures that about 23,000 taxpayers had their names and SSNs appropriated by ITIN filers.

In 73 of the 96 cases, the name on the W-2 matched the name of the taxpayer filing the return, but the SSN on the W-2 belonged to someone else. In 27 of the 73 cases of mismatched names and SSNs, the legitimate SSN owner was under 18, dead, or over 100. You will be relieved to know that in these cases the IRS and the Social Security Administration bureaucracies did “not associate the income and benefits with the lawful taxpayer.”

Buying and selling social security numbers is a business, and health care records provide fertile grounds for crooks. In 2006, for example, a Social Security Administration audit reported that a buyer paid an Alabama hospital employee $100 each for children’s social security numbers that were reportedly used to file fraudulent tax returns. At the end of 2007, the Social Security Administration reported that it had records on 296 million mismatched W-2 forms associated with $835.7 billion in wages.

In 19 of the 96 cases, the W-2 information in the return could not be matched to any employer records in the IRS system. The IRS had no idea whether the ITIN taxpayer was using someone else’s SSN.

In tax records as in medical record databases, there is an inescapable tension between privacy and control. For example, IRS management says that “Notifying employers that their employee is using another person’s identity is not permissible because it would be an unlawful disclosure of tax information.” (Note: Go back and read that last sentence again!)

Identity theft that furthers medical fraud is becoming more common. In 2010 the Boca Raton police arrested Giovanni Mangino after two visits to the Boca Raton Community hospital where he received $106,000 in medical care. He used the name Giovanni Ovesta and the social security number of someone living in Arizona.

In tax records, using someone else’s identity may artificially inflate someone’s tax bill. In a system of electronic health records, errors propagate rapidly and identity fraud increases the probability that a thief’s health conditions will be confused with the health conditions of the person whose identity he stole. Two questions arise. First, was the person living in Arizona, the legitimate owner of the SSN used by Mr. Mangino, informed that his identity was used by someone else? And second, did he have the right to remove false information from his health record? In some states, people do not have the right to delete information from their medical record, and they can only amend it if the health care provider originating the record agrees to do so. This increases the probability of confusion between their medical history and a thief’s. [link, p. 20]

The tension between privacy and control is even more pronounced in health care under HIPAA than it is for taxes under the IRS. HIPAA prevents private providers from disclosing personal health information. There are significant penalties for doing so. But a record used by a thief contains personal health information both from the legitimate owner of the identity and from the thief. Aside from the question of who can correct a health record, there is a debate about whether it is even legal to allow victims of identity fraud to see their health records. HIPAA is unforgiving. Allowing victims to see their record would also let them see HIPAA protected personal health information on the thief. (Note: Go back and read that last sentence as well!)

Print