DSS ADMINISTRATIVE LETTER NO. ECONOMIC INDEPENDENCE
(WORK FIRST AND FOOD STAMPS) 04-2002
DSS ADMINISTRATIVE LETTER NO. ADULT AND FAMILY SERVICES 02-2002
TO: COUNTY DIRECTORS
ATTENTION: INCOME MAINTENANCE DIRECTORS
MEDICAID CASEWORKERS AND SUPERVISORS
WORK FIRST CASEWORKERS AND SUPERVISORS
FOOD STAMP CASEWORKERS AND SUPERVISORS
SPECIAL ASSISTANCE CASEWORKERS AND SUPERVISORS
SECURITY CONTROL OFFICERS
FRR/BEER CONTROL OFFICERS
DATE: MARCH 11, 2002
SUBJECT: SECURITY OF INTERNAL REVENUE SERVICE AND SOCIAL SECURITY ADMINISTRATION INFORMATION
NOTE: This letter obsoletes DSS Administrative Letter No. Economic Independence (Work First and Food Stamps) 11-2000, DSS Administrative Letter No. Adult and Family Services 3-2000, and DMA Administrative Letter No. 30-2000. The letter is effective upon receipt.
The purpose of this letter is to provide you with updated information concerning the security requirements for IRS and SSA data.
The changes include a revised Documentation of Annual Security Training log, a sample log of who has accessed FRR/BEER reports, a sample FRR/BEER destruction log, new requirements for two levels of security within the building where IRS and SSA data are stored, and additional instructions regarding who completes the internal inspection audit. The time limit for retaining the log for access to the FRR/BEER and the FRR/BEER destruction log has changed to five years. Revisions are in bold print in the paper version and red in the online version throughout the letter.
The Income and Eligibility Verification System (IEVS) was implemented in October 1986. This system provided a mechanism to interface with the Internal Revenue Service (IRS) to obtain leads regarding income and resources reported to the IRS by employers and financial institutions. This matched information is printed on the Financial Resource Report (FRR). IEVS also gave us access to certain types of income reported to SSA by the IRS. These income types are: military employment, pension income, self-employment, and federal employment. This matched information is printed on the Beneficiary Earnings Exchange Report (BEER).
The matches with SSA are also regulated by IEVS. These matches are the State Data Exchange (SDX), Beneficiary Data Exchange (BENDEX), State Online Query (SOLQ), and the Third Party Query (TPQY). Also, to ensure that we have the correct social security number (SSN) when performing these matches, we submit records to SSA for SSN validation.
DHHS contracts with the IRS and SSA to perform these matches. In these contracts, DHHS agrees to safeguard the information provided to us in accordance with federal regulations. IRS security requirements are defined in 26 USC 6103 and IRS Publication 1075. SSA security requirements are defined in: Section 1106(a) of the Social Security Act (42 USC 1306(a)); SSA POMS 10801.500, 510, 515, and 828; Regulation No. 1 (20 CFR Part 401); the Privacy Act (5 USC 552a); Freedom of Information Act (5 USC 552); Computer Matching and Privacy Protection Act of 1988 (PL 100-503); 26 USC 6103, and IRS Publication 1075.
C. The director ensures security requirements are met for the agency. The IRS requires two barriers to accessing federal tax information (FTI) – secured perimeter/locked container, locked perimeter/secured interior, or locked perimeter/security container. The FRR/BEER reports contain FTI; therefore, the agency must meet these IRS security requirements. Details of the security requirements are contained in IRS Publication 1075. This publication can be accessed through the Internet. Go to: http://www.irs.gov/pub/irs-pdf/p1075.pdf.
Section 4.0 contains the security information. If your agency does not have access to the Internet, you may contact Ken Maddox, the IEVS coordinator, at (919) 857-4019 with questions or information needed regarding the security requirements.
The FRR/BEER are mailed to the counties in hot pink envelopes and marked “Confidential”. These reports must NOT be opened in the mailroom, but must be delivered to the designated FRR/BEER control person. Immediately upon receipt, the control person must distribute the workers’ copies to the appropriate income maintenance staff for follow-up. To ensure that only individuals who are allowed access to this information handle these reports, the control person must keep a log indicating to whom the reports are given, the date signed out, and the date the information is returned. See Attachment IV for a sample log. When worker copies are distributed, record the names of the staff members who received the copies on a log. Also record on the log the names of any other persons who view the FRR/BEER information. Retain this log for five years, at which time it may be destroyed.
The control person must also ensure that the reports are under lock and key when they are not being used by the workers, the reports are worked within the time frame specified in the appropriate program policy manual, and that all worker copies of the report are returned and filed with the control copy. Do not destroy a FRR/BEER report until all copies of the report are returned.
NOTE: If the record indicates that the information was originally obtained from the FRR or BEER, the source of this information never changes. All subsequent verifications of this information must be filed with the FRR or BEER.
The Medicaid Program Representative (MPR) is responsible for the following:
If you are investigating for an overpayment or you prosecute for fraud, you may use the verification, but you cannot state that this information was obtained from the IRS to the individuals (other than the client) involved in the case. You can only state that you have verified this information with the source (the financial institution).
Maintain the FRR and BEER in the county for two years, unless there is a current fraud case. The FRR or BEER related to that case should be flagged for retention. The FRR and BEER information is retained in the State Office for three years. If information between the second and third year is needed for audit purposes, please contact the IEVS Coordinator.
A log listing the dates the FRR and BEER reports were destroyed and the dates of the reports that were destroyed is required. See Attachment V for a sample log to record information when you destroy FRR and BEER reports. Retain this log for five years.
If you have any questions regarding this information, please contact your Medicaid Program Representative.
Nina M. Yeager, Director
Division of Medical Assistance
Pheon Beal, Director
Division of Social Services
(This material was researched and prepared by Mary Spivey, EIS Program Consultant, DMA/EIS Unit.)
For questions or clarification on any of the policy contained in these manuals, please contact your local county office.