ACA Reporting and HIPAA Privacy Concerns

The Affordable Care Act (ACA) added various reporting requirements for health plans and employers, including employer information reporting requirements under Section 6055 and 6056. Information gathering will be critical to successful reporting but collecting more sensitive information about employees may raise additional data privacy and security risks.

Under the ACA, if your company provides "minimum essential coverage" (MEC), you must report certain information about that coverage to the Internal Revenue Service (IRS), and to persons receiving that MEC. Providers of minimum essential coverage will use Forms 1094-B, 1095-B, 1094-C and 1095-C to report this information.

Depending on the type of provider you are, you will need to report on detailed employee data, including names, Social Security Numbers of each employee and covered dependents and months during which health coverage was offered and provided in 2015.

Collecting this information will be an increased burden, creating more risks given the increased amount of sensitive data you will be handling, and possibly from vendors working on your behalf. Some steps you can take to mitigate these risks include:

  • Determine whether the information is subject to HIPAA. Employers will need to consider whether this information, collected for ACA reporting requirements, is protected health information (PHI) under HIPAA or whether it falls under any HIPAA exception. As of the date of this article, the IRS has not issued any guidance on whether HIPAA applies to employer information reporting requirements.

  • Implement appropriate safeguards. For an employer that determines the information collected for this purpose is PHI, it will need to ensure the appropriate steps are taken under the HIPAA privacy and security rules. For example, employers will need to implement appropriate administrative, technical and physical safeguards to protect the privacy of PHI, train all employees on policies and procedures regarding PHI, designate a privacy officer to develop and implement privacy policies and procedures and report any unauthorized use or disclosure of PHI.

  • Confirm your vendors will protect this information. The IRS reporting regulations permit the use of third party vendors to assist employers in the reporting process. Whether the vendor is a "business associate" under HIPAA, employers should be sure the vendor is HIPAA Certified and contractually bound to maintain and implement appropriate privacy and security practices, including data breach preparedness.

Employers navigating through the ACA reporting requirements have many issues to consider and how personal information or protected health information is safeguarded in the course of those efforts is one more important consideration. Employers need to prepare now for this upcoming obligation by putting procedures in place. Especially since penalty amounts were recently increased for employers subject to the ACA's information reporting requirements.

Failing to comply with the requirements may trigger fines for failing to file correct information returns and for failing to provide correct information returns to employees. The penalty for failing to file an information return increased from $100 to $250 for each return, with a cap of $3 million. The penalty for failing to provide correct employee information to employees also increased from $100 to $250 for each return.

ComplyRight Distribution Services (CDS) offers a secure print-and-mail solution for businesses looking to outsource this function. The CDS facility is HIPAA Certified and has achieved SOC certification from the American Institute of CPAs. So employers can rest assured that all information will remain protected throughout the process, and they will not be exposed to a potential data breach. Contact us at mdnavarro@complyright.com for more information.