CPAs Performing ACA Reporting … Pay Attention to HIPAA Compliance

In working with CPAs across the county, we have found that the overwhelming majority have not been aware that in order to perform Affordable Care Act (ACA) reporting on forms 1095-B and 1095-B for their clients that they must be HIPAA Compliant.  The confusion is understandable, since this likely is the first time they have ever really dealt with Protected Health Information (PHI).  Employee benefit brokers typically work with PHI on a daily basis every day, and thus are familiar with the requirements, such as entering into a business associate agreement with your client.  However on the whole, we are finding out that CPAs are not aware.

This link here from will be helpful to anyone who is looking to further research this issue regarding how business associate agreements work.  In addition, you will see CPA firms listed as examples of business associates.

Well what about employment and payroll records?  The immediate defense of CPAs normally is that they already are working with this type of information and are not required to be HIPAA compliant.  However, it is important to understand that HIPAA Privacy rules exclude these type of records that CPAs often work with. When it comes to working with PHI for this Affordable Care Act reporting though, this is a different story.

This link is a blog article from the American Institute of CPAs that you might find helpful on this topic. (link here)

What is PHI?

In terms of ACA reporting, whoever performs this reporting will indeed become in possession of PHI when they receive medical plan participants enrollment dates, dis-enrollment dates and social security numbers.  Since the information that is being received is connected with a health plan, this information becomes PHI.  Anytime you come into contact with PHI, you must enter into a business associate agreement and take certain other steps to maintain HIPAA compliance.

What is required of CPAs to be HIPAA compliant?

We would strongly suggest you speak with an attorney (as we do not give legal advice).  When you speak with an attorney, you will likely find the following items below as necessary:

  • Entering into a business associate agreement with clients
  • HIPAA training of all staff
  • Internal HIPAA security measures to ensure compliance with HITECH Regulations
  • Ensuring the servers and other computers in which you hold PHI are encrypted, fire walled, have server logs and audits, etc.
  • Rules on how data breaches are handled and communicated
  • Normally it is recommended to have Cyber Security insurance policies in place
  • It is also a very good idea to ensure your E&O insurance will cover you for these activities

Again, don’t take our word for it … definitely speak with an attorney.  And if we can help you, please let us know.  We partner with CPAs across the country to assist them with delivering an ACA reporting solution to their clients.