Employer Reporting and HIPAA Compliance

n the flurry of instructions, deadlines, and revisions to the reporting requirements for employers, it’s easy to see how HIPAA’s privacy provisions and their implications could be overlooked. But applicable large employers (and small employers) sponsoring self-funded group health plans should be aware of how HIPAA relates to these reporting requirements, and what must be done to ensure compliance with both.

Under Section 6055 of the Internal Revenue Code, employers of any size offering self-funded group health plans are required to report coverage information for all individuals (employees, spouses, dependents, COBRA beneficiaries, and retirees) covered under the self-funded plan. Applicable large employers will typically report this information in Section III of Form 1095-C, while small employers will report this information on Form 1095-B. To the extent that this information is drawn from records maintained by the employer’s health plan, it falls squarely under the definition of “protected health information,” or “PHI,” subject to HIPAA.

So, can the employer use information obtained from its health plan to fulfill its reporting obligation? The short answer is “yes,” assuming that required protections are in place.

To provide some context, remember that under HIPAA, the plan itself is the covered entity. The employer is the plan sponsor. This may seem like a technical distinction, but it’s important – there are two separate entities at play here. The plan is the entity actually responsible for complying with HIPAA. But the plan only exists on paper. It doesn’t have employees. Therefore, the employer as plan sponsor becomes the de facto entity responsible for actually administering the plan. And the only way an employer can administer the plan is by accessing PHI for certain permitted functions, such as  plan administration.

(NOTE – the permitted functions for which PHI may be shared by the plan with the employer do not include employer-related functions. For example, an employer could not, without written authorization from the employee, access information from its health plan in order to verify a diagnosis underlying an employee’s request for leave under the Family Medical Leave Act (FMLA). FMLA is separate and distinct from the health plan; therefore, an employer would have no authority to access the health plan’s information for FMLA administration.)

So is reporting of coverage information a plan administration function?

Although the guidance isn’t explicit, it seems reasonable to conclude that the employer is carrying out a plan administration function in its use of PHI for reporting coverage under a self-funded plan pursuant to Section 6055. Therefore, as long as the protections required by HIPAA are in place, the plan should be justified in sharing the necessary coverage information with the employer for this purpose.

What protections must be in place?

First and foremost, there should be a plan amendment in place that describes the circumstances (e.g., for plan administration) under which the plan can release PHI to the plan sponsor/employer. The amendment should also describe the ways in which the plan sponsor agrees to safeguard that information, including by creating a “firewall” between those employees who are authorized to handle PHI and those who are not. (Note that this requirement is not unique to sharing PHI for reporting purposes. Employers who sponsor self-funded group health plans should already have this amendment and workforce structure in place.)

Second, remember the minimum necessary rule! Employers should only be requesting the minimum amount of information necessary to fulfill their reporting obligations. (Hint: Detailed claims histories don’t count!)

Third, consider whether any vendors are assisting the employer with its reporting obligations. Will they have access to the information needed to complete Part III of Form 1095-C, or Form 1095-B? If so, has the plan entered into a compliant Business Associate Agreement with the vendor to ensure that the vendor is aware of its obligation to safeguard this information?

Fourth, think about HIPAA compliance more comprehensively. Has your workforce been trained? Do you have policies and procedures in place that govern the use and disclosure of PHI? Have you appointed a Privacy and Security Official? Do you maintain a Notice of Privacy Practices?

Summing Up

As long as the employer, as plan sponsor, has put the appropriate protections in handle the exchange and use of PHI, there shouldn’t be any problems – from a HIPAA perspective – in fulfilling employer reporting obligations. And remember, none of these requirements new! Now, with HIPAA audits of covered entities and business associates underway, and enforcement in general ramping up, it’s more important than ever for employers to ensure that their group health plans are HIPAA-compliant.