HIPAA Implications of Form 1095-C Reporting

Spring 2016Articles For Your Benefit

Employers need to keep HIPAA compliance at top of mind when doing Internal Revenue Code §§ 6055 and 6056 reporting on Forms 1095-C. Form 1095-C is used by employers to report offers of minimum essential medical coverage to employees (Parts I and II of the Form) and by employers that offer self-insured minimum essential coverage to report employee enrollment in such coverage (Part III of the Form).

An employer’s medical plan is a covered entity subject to HIPAA privacy, security and breach notification rules (HIPAA). If the medical plan is insured, the insurance company is generally responsible for compliance with HIPAA (provided the employer does not receive any protected health information (PHI), except for limited purposes). If the employer’s medical plan is self-insured, the plan itself – and not the employer – is subject to HIPAA. Nevertheless, since the plan has no employees, it must rely on those workforce members of the employer who are involved in plan administration and various third party administrators to administer the plan.

Even for a self-insured plan, if the employer obtains the employee information from general employment records (e.g., from the employer’s database that has employee demographic information not connected to the medical plan), instead of from the self-insured medical plan records, the employee information is not considered PHI. In addition, enrollment information in the hands of an employer that is performing medical plan enrollment activities on behalf of the employees (for the benefit of the employees) is not PHI and thus not subject to HIPAA. We call this the “enrollment exception.” It can be difficult to determine the parameters of the enrollment exception since enrollment information in the hands of the plan is PHI, so we advise caution in its use.

Whether Form 1095-C contains PHI and thus the use, disclosure and safeguarding of information on it is subject to HIPAA depends on where the employer obtains the information to complete the Form and what information is included on the Form.

Part III of Form 1095-C (Covered Individuals) contains information on whether an employee is enrolled in medical plan coverage and this mere enrollment information is enough to be PHI. If this information is obtained from the plan (e.g., obtained from a database that has medical plan information or from the medical plan third-party administrator), as opposed to from employment records, the information is subject to HIPAA.

Employee demographic information (Part I of the Form) and offer of coverage information (Part II of the Form) may not be subject to HIPAA, depending on where the employer obtained the information.

For self-insured employers (who must complete Part III of the Form regarding enrollment in coverage), we recommend treating the Forms and the data needed to complete the Forms as PHI. (Even for employers with insured plans where Part III of the Form is not completed, the Form and the data used to complete it may be PHI.) We recommend that employers with self-insured plans do the following to ensure compliance with HIPAA with respect to Forms 1095-C and the data used to complete the Forms:

  1. Provide HIPAA training to all in-house employees involved in preparing the Forms;
  2. Enter into a HIPAA business associate agreement with outside consultants and vendors that are assisting in completing the Forms, distributing them to employees or filing them with the IRS;
  3. Apply HIPAA safeguards to the Forms and the data (e.g., make sure they are in a secure place and limit access to those who need to know); and
  4. If you experience a potential breach with respect to the Forms (e.g., delivered to the wrong employees, lost or stolen, viewed by someone who doesn’t need access to them), notify the HIPAA privacy and security officials for the plan, who should consult with legal counsel as needed, perform and document a HIPAA breach analysis, and if it qualifies as a breach, provide required notices (to affected employees, the Department of Health and Human Services and possibly the media).