Lesson 12: Quick Reference Card
← Study Guide home · Lesson 12 of 12
Everything important on one page
§7216 AT A GLANCE
| Element | Detail |
|---|---|
| Statute | IRC §7216, 26 U.S.C. §7216 |
| Who it covers | Any tax return preparer |
| What it prohibits | Knowing or reckless disclosure or use of tax return information outside return preparation |
| Definition of disclosure | Making information known to any person in any manner whatever (Treas. Reg. §301.7216-1(b)(5)) |
| "Tax return information" | Any information furnished for or in connection with return preparation, extremely broad |
| Criminal penalty | Up to $1,000 fine, up to 1 year imprisonment, per violation |
| Civil companion | §6713: $250/disclosure, $10,000/year cap; no intent required |
| Key exceptions | §301.7216-2(b)(1): another preparer; §301.7216-2(b)(2): same firm; §301.7216-2(d): auxiliary service (US-based, non-substantive, contractual confidentiality); §301.7216-e: peer review |
| Consent authority | §301.7216-3 + Rev. Proc. 2013-14 |
| Guidance gap | No IRS guidance on AI as of June 2026 |
FTC SAFEGUARDS RULE CHECKLIST
- WISP exists and is in writing
- WISP reviewed within the past 12 months
- Qualified individual designated
- Risk assessment conducted and documented
- Each AI vendor evaluated for security posture
- DPA or contractual safeguards in place with each AI vendor
- Employee training on AI data security conducted
- Incident response plan in WISP
- Multi-factor authentication implemented
- FTC breach notification procedure documented (500+ individuals: 30 days to FTC)
WISP AI ANNEX REQUIRED ELEMENTS
- AI Vendor Inventory: Name, tier, DPA status for each AI tool used with client data
- Approved Tool Classification: Green/Yellow/Red designation for each tool
- Access Controls: Which personnel may use which AI tools with client data
- AI Incident Response: Procedure for AI vendor breach notification
- Annual Review Checkpoint: Specific AI review step in annual WISP review
§7216 CONSENT FORM REQUIRED ELEMENTS (Form 1040 Clients)
- Standalone document (not embedded in engagement letter)
- Minimum 12-point type (paper form)
- Verbatim mandatory language from Rev. Proc. 2013-14 §5.04
- Preparer's name
- Taxpayer's name
- Specific description of information to be disclosed
- Specific named recipient (name the AI vendor by name and tier)
- Purpose of disclosure
- Duration (specify; defaults to 1 year if not stated)
- Taxpayer's signature and date
- TIGTA contact information
- Copy provided to taxpayer at execution
CIRCULAR 230 AI CHECKPOINTS
| Section | AI Checkpoint |
|---|---|
| §10.22 | Did I use reasonable care in selecting, supervising, and evaluating AI output? |
| §10.35 | Do I understand the AI tool's benefits and limitations well enough to use it competently? |
| §10.36 | Does my firm have adequate AI use procedures, and are they being followed? |
| §10.37 | Are AI-generated written advice letters based on verified authorities and reasonable assumptions? |
AICPA ET §1.700.001 AI CHECKPOINTS
| Step | Question |
|---|---|
| 1 | Am I using an AI vendor that will see client confidential information? |
| 2 | Do I have a contractual agreement with the vendor requiring confidentiality? |
| 3 | Does the contract provide reasonable assurance of appropriate security procedures? |
| 4 | If not, do I have specific client consent for the disclosure? |
| 5 | Have I applied the threat/safeguards analysis and documented it? |
GEORGIA-SPECIFIC OBLIGATIONS
| Rule/Statute | Obligation |
|---|---|
| Rule 20-12-.11 | No disclosure of confidential client information without consent, applies to ALL client information (broader than §7216) |
| Rule 20-12-.19 | AICPA Code and SSTS are part of your CPA license, AICPA violations are Georgia Board violations |
| O.C.G.A. §43-3-29 | Accountant-client privilege (renumbered from §43-3-32 in 2014), disclosure to AI vendor may implicate privilege waiver |
| O.C.G.A. §10-1-912 | Breach notification "in the most expedient time possible", no specific deadline; 24-hour notice to principal if you're processing data on behalf of another entity |
APPROVED/PROHIBITED AI TOOL CLASSIFICATION TEMPLATE
| Tool | Vendor | Tier | DPA on File? | US Data Residency? | No-Train Clause? | §7216 Status | Approved for Client Data? |
|---|---|---|---|---|---|---|---|
| ChatGPT Plus | OpenAI | Consumer | No | No | No | No exception; consent required | No (without consent) |
| ChatGPT Enterprise | OpenAI | Enterprise | Yes | Yes (US-only configurable) | Yes | Exception arguable; consent recommended | Yes (with DPA + consent) |
| Microsoft 365 Copilot | Microsoft | Enterprise | Yes | Yes (US-only configurable) | Yes | Strongest enterprise cloud position | Yes (with DPA + consent) |
| Claude Pro | Anthropic | Consumer | No | No | No | No exception; consent required | No (without consent) |
| Claude Enterprise | Anthropic | Enterprise | Yes | Yes | Yes | Exception arguable; consent recommended | Yes (with DPA + consent) |
| Ollama + Llama 3.3 (verified local) | Meta (model) / local | Local | N/A | N/A | N/A | No disclosure under local analysis | Yes (with WISP coverage) |
| LM Studio (verified no telemetry) | LM Studio / local | Local | N/A | N/A | N/A | No disclosure under local analysis | Yes (with WISP coverage) |
| Intuit Tax Assist | Intuit | Tax-specific | Reviewed in product TOS | US | Yes | Strong position as integrated tax software | Yes (review TOS) |
| Thomson Reuters CoCounsel | TR | Enterprise | Yes | Yes | Yes | Enterprise-tier; strong DPA | Yes (with DPA + consent) |
This table reflects general guidance as of June 2026. Vendor terms change. Always review current DPA and subscription terms before use.
CITATION INDEX: PRIMARY SOURCES
| Source | Full Citation | URL |
|---|---|---|
| IRC §7216 | 26 U.S.C. §7216 | https://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title26-section7216 |
| IRC §6713 | 26 U.S.C. §6713 | https://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title26-section6713 |
| IRC §7701(a)(1) | 26 U.S.C. §7701(a)(1) (Definition of "person") | https://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title26-section7701 |
| Treas. Reg. §301.7216-1 | 26 C.F.R. §301.7216-1 (Definitions) | https://www.ecfr.gov/current/title-26/chapter-I/subchapter-F/part-301/section-301.7216-1 |
| Treas. Reg. §301.7216-2 | 26 C.F.R. §301.7216-2 (Permissible disclosures without consent) | https://www.law.cornell.edu/cfr/text/26/301.7216-2 |
| Treas. Reg. §301.7216-3 | 26 C.F.R. §301.7216-3 (Disclosures requiring consent) | https://www.ecfr.gov/current/title-26/chapter-I/subchapter-F/part-301/section-301.7216-3 |
| Rev. Proc. 2013-14 | IRB 2013-03 (§7216 consent format and mandatory language) | https://www.irs.gov/irb/2013-03_IRB |
| Rev. Rul. 2010-4 | 2010-1 C.B. (preparer use/disclosure for taxpayer communications; name/address list to a newsletter service provider) | https://www.irs.gov/irb/2010-04_IRB |
| Rev. Rul. 2010-5 | 2010-1 C.B. (disclosure to the preparer's professional liability insurance carrier) | https://www.irs.gov/irb/2010-04_IRB |
| FTC Safeguards Rule | 16 C.F.R. Part 314 (Standards for Safeguarding Customer Information) | https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314 |
| GLBA | 15 U.S.C. §6801 et seq. (Gramm-Leach-Bliley Act) | https://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title15-section6801 |
| IRS Pub. 4557 | IRS Publication 4557 (Safeguarding Taxpayer Data) | https://www.irs.gov/pub/irs-pdf/p4557.pdf |
| IRS Pub. 5708 | IRS Publication 5708 (Creating a WISP for Your Tax Practice) | https://www.irs.gov/pub/irs-pdf/p5708.pdf |
| Circular 230 | Treasury Department Circular No. 230 (Rev. 6-2014), 31 C.F.R. Part 10 | https://www.irs.gov/pub/irs-pdf/pcir230.pdf |
| AICPA ET §1.700.001 | AICPA Code of Professional Conduct §1.700.001 (Confidential Client Information Rule) | https://pub.aicpa.org/codeofconduct/ethicsresources/et-cod.pdf |
| AICPA Interpretation 1.700.040 | AICPA ET Interpretation 1.700.040 (Third-Party Service Providers) | https://pub.aicpa.org/codeofconduct/ethicsresources/et-cod.pdf |
| SSTS No. 1 §1.4 | AICPA Statements on Standards for Tax Services No. 1, §1.4 (Reliance on Tools, effective Jan. 1, 2024) | https://www.aicpa-cima.com/resources/download/revised-statements-on-standards-for-tax-services-no-1-4-1-1-2024 |
| Georgia Rule 20-12-.11 | Georgia State Board of Accountancy Rule 20-12-.11 (Confidential Client Information) | https://rules.sos.ga.gov/gac/20-12 |
| Georgia Rule 20-12-.19 | Georgia State Board of Accountancy Rule 20-12-.19 (Other Professional Standards) | https://rules.sos.ga.gov/gac/20-12 |
| O.C.G.A. §10-1-912 | Georgia Code §10-1-912 (Breach notification) | https://law.justia.com/codes/georgia/title-10/chapter-1/article-34/section-10-1-912/ |
| NY SHIELD Act | N.Y. Gen. Bus. Law §899-bb | https://www.nysenate.gov/legislation/bills/2019/a5635 |
| 201 CMR 17.00 | 201 C.M.R. 17.00 (Mass. Standards for Protection of Personal Information) | https://www.mass.gov/regulations/201-CMR-1700-standards-for-the-protection-of-personal-information-of-residents-of-the-commonwealth |
| CA Tax Preparers Act §17530.5 | Cal. Bus. & Prof. Code §17530.5 | https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=17530.5.&lawCode=BPC |
| United States v. Littlejohn | No. 1:23-cr-00343 (D.D.C. Jan. 29, 2024), sentenced to 5 years under 26 U.S.C. §7213 | https://www.justice.gov/archives/opa/pr/former-irs-contractor-sentenced-disclosing-tax-return-information-news-organizations |
| OPR Circular 230 AI Presentation | IRS OPR, "Circular 230: Professional Responsibility in Today's Tax Practice" (2024 National Tax Forum) | https://www.irs.gov/pub/irs-npl/2024ntf-circular-230-professional-responsibility.pdf |
| Proposed Circular 230 Amendment | REG-116610-20, Proposed Amendments to Circular 230 §10.35 (December 2024) | https://www.federalregister.gov/documents/2024/12/23/2024-29941/regulations-governing-practice-before-the-internal-revenue-service |
| Pittman/Williford/Becker | "The Many Implications of Sec. 7216", The Tax Adviser (January 2024) | https://www.thetaxadviser.com |
| Tom Gorczynski Analysis | "AI and the §7216 Disclosure and Use Rules", Tom Talks Taxes (September 2024) | https://tomtalkstaxes.com |
| SSTS 1.4 Practitioner Guide | Holets, "Technology and Tax Standards: Understanding New SSTS Section 1.4, Reliance on Tools", The Tax Adviser (September 30, 2025) | https://www.thetaxadviser.com/issues/2025/sep/technology-and-tax-standards-understanding-new-ssts-section-1-4-reliance-on-tools/ |
FINAL NOTE
This guide will continue to evolve. The IRS will issue AI-specific §7216 guidance eventually. The AICPA will issue AI-specific ethics guidance. Circular 230 will be amended to address technological competence explicitly. State laws will change.
When those developments occur, the framework in this guide will require updating. But the underlying principles, that client tax data belongs to the client, that disclosure requires authorization, that professional responsibility cannot be delegated to a tool, that documentation is the practitioner's best defense, will not change.
The practitioner who has internalized those principles, and who applies them thoughtfully as the specific rules evolve, is already compliant in the way that matters most.
Guide developed by Charlie Barmore, CPA, Augusta, Georgia, for The AI Lab for Accountants
Educational self-study series: "AI for the Small CPA Firm." Not a registered CPE program.
Current as of June 2026. This guide is for educational purposes and does not constitute legal advice. Practitioners should consult legal counsel regarding specific compliance questions.