Payroll Provider Completing ACA Reporting? Better check for HIPAA compliance!

Are you compliant?
Are you compliant?

This post is a guest post from Mark Combs who is the CEO of It provides some very important information for all employers dealing with the ACA reporting.
Employers subject to the Affordable Care Act (ACA) reporting obligations are now feverishly completing their forms 1095 and distributing them to their employees.  For many the process given to us by the IRS has been painful and required quite a steep learning curve.  In the rush to complete everything and move on to the next of hundreds of other tasks required by HR professionals, was there anything missed?
As it turns out there is quite an ‘Oops’ that is presenting itself in the marketplace and it has to do with HIPAA & HITECH compliance and payroll vendors who are providing ACA reporting for employers.  Increasingly employers are finding that when they ask the appropriate questions about ACA reporting they are not receiving answers which make them feel comfortable.
There certainly are some payroll providers who have done a good job in this area, but the vast majority of payroll companies cannot say the same.  The reason most payroll companies forget about this detail is that they normally work with employee specific information regarding payroll records.  For payroll record specific information, HIPAA privacy rules have an exception that allow for the data to not be considered Protected Health Information (PHI).  If you would like to research this specifically, here is a good article geared to CPAs who perform payroll reporting. (Article link here)
To correctly perform ACA reporting, there is more information necessary that would be normal to complete payroll.  Specifically, to complete the required reporting correctly you must provide social security numbers, enrollment and disenrollment dates for medical plan participants.  Since this data is connected to a health plan, it has become PHI and thus requires safeguarding.
When an employer works with providers that require the sharing of this data, it is really important that they maintain their end of required HIPAA compliance.  This requires many things including the following:

  • Employers must enter into a Business Associate Agreement with any vendor they share PHI to in order to complete ACA reporting.
  • Once the vendor comes into contact with the PHI, they have responsibilities to encrypt and safeguard this information.  They also should operate in a HIPAA compliant manner and have appropriate insurance coverage for cyber security theft.
  • Any communication that includes PHI (emails, etc.) must be sent encrypted in order to ensure compliance
  • Once the vendor receives the PHI data, they must maintain all other HIPAA and HITECH compliance items regarding how the data is accessed and stored.

So how do you know if your ACA reporting vendor is HIPAA compliant?  One easy way to tell is by asking yourself this question,

“Did I sign a Business Associate Agreement with the payroll company I hired to do my ACA reporting?”

And if your answer to this question is no, then you certainly have an item that needs your attention.
The author, Mark Combs, is the CEO of  For ACA reporting resources you can access their blog from this link.  Also, they have created a form 1095-C code calculator which many employers will find quite helpful.  (Link here) He can be reached at 888-978-8310
ACA Reporting Services created a form 1095-C code calculator to help HR folks understand how the codes work.  You can take a look at it here:

Leave a Comment

Pin It on Pinterest