How to Manage Potential HIPAA Privacy and Security Issues with ACA Information Reporting

Beginning January 2016, new reporting rules under Code Sections 6055 and 6056 of the Affordable Care Act (ACA) require employers to file annual information returns with the IRS, as well as deliver statements to employees summarizing health plan coverage information. As part of this reporting process, employers will need to gather sensitive information about employees.

Due to the potential for data privacy and security risks for employers and their vendors, it’s important to know the proper steps for handling this information.

Exercise Caution When Gathering Information

The primary purpose of the new, mandatory ACA reporting is to communicate certain details of health insurance coverage, including verification that the “minimum essential coverage” (MEC) is being met. For calendar year 2015, this reporting requirement applies to employers with 50 or more full-time employees (including full-time equivalent employees, or FTEs) and all self-insured employers, regardless of size. The forms used to report this information are 1095-B and 1095-C, as well as transmittal forms 1094-B and 1094-C.

In most cases, Form 1095-B (used by insurance companies and self-insured employers with fewer than 50 full-time employees) and Form 1095-C (used by large employers, insured and self-insured, with 50 or more full-time employees) require Security numbers (SSNs) of employees, as well as the SSNs of spouses and dependents covered under the plan. This is where you need to be careful.

Although you may be used to collecting and using employee SSNs for various business and benefit-related purposes, getting SSNs from spouses and dependents is an added responsibility with ACA reporting. At the same time, collecting this type of sensitive information raises data privacy and security risks.

To reduce the risks with sensitive information, you should:

• Consider if the information is subject to HIPAA.

  Take the time upfront to determine if any of the information collected for ACA reporting requirements is protected health information (PHI) under HIPAA or if it falls under any HIPAA exception. (As of the date of this article, the IRS has not issued any guidance on whether HIPAA applies to employer information reporting requirements.)

• Develop appropriate safeguards.

  If you’ve determined the collected information is PHI, you’ll need to ensure the appropriate steps are taken under the HIPAA privacy and security rules. For example, you’ll want to enforce appropriate administrative, technical and physical safeguards to protect the privacy of PHI, train all employees on policies and procedures regarding PHI, designate a privacy officer to develop and implement privacy policies and procedures, and report any unauthorized use or disclosure of PHI.

• Verify your vendors will protect this information.

  The IRS reporting regulations permit the use of third party vendors to assist you in the reporting process. Whether the vendor is a “business associate” under HIPAA, you’ll want to be sure the vendor is HIPAA-certified and contractually bound to maintain and implement appropriate privacy and security practices, including data breach preparedness.

Preparation Pays Off

Now is the time to develop procedures around this upcoming obligation. Be aware, too, that penalties for failing to file and issue these returns were recently increased for employers subject to the ACA’s information reporting requirements. 

The penalty for failing to file an information return increased from $100 to $250 for each return, with a cap of $3 million.  The penalty for failing to provide correct employee information to employees also increased from $100 to $250 for each return.

Familiarizing yourself with the compliance aspects of this reporting responsibility can protect you from these fines.