Payroll Vendor Doing ACA Reporting … MUST be HIPAA Compliant

For payroll companies performing ACA reporting, we are increasingly finding that they forgot one very important detail … HIPAA and HITECH Compliance.

The reason most payroll companies forget about this detail is that they normally work with employee specific information regarding payroll records.  For payroll record specific information, HIPAA privacy rules have an exception that allow for the data to not be considered Protected Health Information (PHI).

When it comes to ACA Reporting however, there is no similar exception.


The information that is necessary to complete ACA reporting (list here)  contains employee Social Security Numbers that are connected with medical plan enrollment details.  For this reason, the data necessary to complete ACA Reporting must include PHI and thus the HIPAA and HITECH Compliance rules come into effect.

These rules require many various things, including the following:

  • Employers must enter into a Business Associate Agreement with any vendor they share PHI to in order to complete ACA reporting.
  • Once the vendor (payroll company in this case) comes into contact with the PHI, they have responsibilities to encrypt and safeguard this information.
  • Any communication that includes PHI (emails, etc) must be sent encrypted in order to ensure compliance
  • Once the payroll company receives the data, they must maintain all other HIPAA and HITECH compliance items regarding how the data is accessed and stored.

….So one quick question you can ask yourself is, “Did I sign a Business Associate Agreement with the payroll company I hired to do my Affordable Care Act Reporting?”.  If the answer to that is No, then you might have a problem.


This link is a blog article from the American Institute of CPAs that you might find helpful on this topic. (link here)


If you are curious how we handle HIPAA Compliance for our clients, you can learn more here.