Under the Health Insurance Portability and Accountability Act (HIPAA), a covered entity that experiences a ransomware attack or other cyber-related security incident must take immediate steps to prevent or mitigate any impermissible release of protected health information (PHI).
The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a checklist to help HIPAA-covered entities determine the specific steps they must take in the event of a data breach.
Entities subject to HIPAA should become familiar with the OCR’s checklist and other guidance for handling cyber security breaches involving PHI. These entities should also ensure they have plans for mitigating the effects of breaches.
OCR Quick-response Checklist
In the event of a cyber attack or similar emergency, a covered entity must do the following:
- Execute its response and mitigation procedures and contingency plans.
- Report the crime to appropriate law enforcement agencies.
- Report all cyber threat indicators to federal and information-sharing and analysis organizations.
- Report the breach to affected individuals and to the OCR as soon as possible.
HIPAA regulations also require covered entities to report certain cyber-related security incidents to affected individuals, the OCR and other agencies. In general, a reportable breach occurs anytime PHI was accessed, acquired, used or disclosed.
For more information about this rule and its potential impact on your company, please contact HealthSure.
The Internal Revenue Service (IRS) Office of Chief Counsel has recently issued several information letters regarding the Affordable Care Act’s (ACA) individual and employer mandate penalties. These letters clarify that:
- Employer shared responsibility penalties continue to apply for applicable large employers (ALEs) that fail to offer acceptable health coverage to their full-time employees (and dependents); and
- Individual mandate penalties continue to apply for individuals that do not obtain acceptable health coverage (if they do not qualify for an exemption).
These information letters clarify that the ACA’s individual and employer mandate penalties still apply. Individuals and ALEs must continue to comply with these ACA requirements, including paying any penalties that may be owed.
The ACA’s employer shared responsibility rules require ALEs to offer affordable, minimum value health coverage to their full-time employees or pay a penalty. These rules, also known as the “employer mandate” or “pay or play” rules, only apply to ALEs, which are employers with, on average, at least 50 full-time employees, including full-time equivalent employees (FTEs), during the preceding calendar year. An ALE may be subject to a penalty only if one or more full-time employees obtain an Exchange subsidy (either because the ALE does not offer health coverage, or offers coverage that is unaffordable or does not provide minimum value).
The ACA’s individual mandate, which took effect in 2014, requires most individuals to obtain acceptable health insurance coverage for themselves and their family members or pay a penalty. The individual mandate is enforced each year on individual federal tax returns. Individuals filing a tax return for the previous tax year will indicate, by checking a box on their individual tax return, which members of their family (including themselves) had health insurance coverage for the year (or qualified for an exemption from the individual mandate). Based on this information, the IRS will then assess a penalty for each nonexempt family member who doesn’t have coverage.
On Jan. 20, 2017, President Trump signed an executive order intended to “to minimize the unwarranted economic and regulatory burdens” of the ACA until the law can be repealed and eventually replaced. The executive order broadly directs the Department of Health and Human Services and other federal agencies to waive, delay or grant exemptions from ACA requirements that may impose a financial burden. However, the executive order does not include specific guidance regarding any particular ACA requirement or provision, and does not change any existing regulations.
IRS Information Letters
Office of Chief Counsel issued a series of information letters clarifying that the ACA’s individual and employer mandate penalties continue to apply.
- Letter numbers 2017-0010 and 2017-0013 address the employer shared responsibility rules.
- Letter number 2017-0017 addresses the individual mandate.
According to these letters, the executive order does not change the law. The ACA’s provisions are still effective until changed by Congress, and taxpayers are still required to follow the law, including paying any applicable penalties.
For additional information on the ACA Executive Order and the current tax filing season, please visit www.irs.gov/tax-professionals/aca-information-center-for-tax-professionals.
On July 28, 2017, the Internal Revenue Service (IRS) released draft 2017 forms for reporting under Internal Revenue Code (Code) Sections 6055 and 6056.
- 2017 draft Forms 1094-C and 1095-C will be used by applicable large employers (ALEs) to report under Section 6056, as well as for combined Section 6055 and 6056 reporting by ALEs who sponsor self-insured plans.
- 2017 draft Forms 1094-B and 1095-B will be used by entities reporting under Section 6055, including self-insured plan sponsors that are not ALEs.
Instructions for these 2017 forms have not yet been released. The draft 2017 forms are substantially similar to the final 2016 versions, except that sections related to expired Section 4980H Transition Relief were removed. Once released, the draft instructions may include some additional clarifications.
Employers should become familiar with the planned revisions to the forms. However, these forms are draft versions only, and should not be filed with the IRS or relied upon for filing.
The Affordable Care Act (ACA) created reporting requirements under Code Sections 6055 and 6056. Under these rules, certain employers must provide information to the IRS about the health plan coverage they offer (or do not offer) or provide to their employees. Each reporting entity must annually file all of the following with the IRS:
- A separate statement (Form 1095-B or Form 1095-C) for each individual who is provided with minimum essential coverage (for providers reporting under Section 6055), or for each full-time employee (for ALEs reporting under Section 6056); and
- A transmittal form (Form 1094-B or Form 1094-C) for all of the returns filed for a given calendar year.
Reporting entities must also furnish related statements (Form 1095-B or 1095-C, or a substitute form) to individuals.
Forms must generally be filed with the IRS no later than Feb. 28 (March 31, if filed electronically) of the year following the calendar year to which the return relates. Individual statements must be furnished to individuals on or before Jan. 31 of the year immediately following the calendar year to which the statements relate.
2017 Draft Forms
The 2017 draft forms are substantially similar to the final 2016 versions of these forms. However, note the following:
- Section 4980H Transition Relief. Several forms of transition relief were available to employers under Section 4980H for the 2015 plan year (including any portion of the 2015 plan year that fell in 2016). However, this transition relief no longer applies for 2016 plan years and beyond. As a result, references to this transition relief on Form 1094-C have been removed. For example, the following two sections on Form 1094-C related to this transition relief have been designated as “Reserved” and should not be used: Part II, in the “Certifications of Eligibility” Section on Line 22, Box C; and Part III, in the “ALE Member Information – Monthly” table, column (e).
- Instructions for Recipient. Both individual statements (Forms 1095-B and 1095-C) include an “Instructions for Recipient” section. On both of the 2017 draft Forms 1095-B and 1095-C, the following paragraph was added: “Additional information. For additional information about the tax provisions of the Affordable Care Act (ACA), including the individual shared responsibility provisions, the premium tax credit, and the employer shared responsibility provisions, see www.irs.gov/Affordable-Care-Act/Individuals-and-Families or call the IRS Healthcare Hotline for ACA questions (1-800-919-0452).”
No additional changes were included in the 2017 draft forms. However, once released, the 2017 draft instructions for these forms may include additional changes or clarifications. In addition, the IRS may make changes to the draft forms before releasing final 2017 versions.
The 2016 versions of these forms are currently available on the IRS website:
- Form 1094-B and Form 1095-B (and related instructions); and
- Form 1094-C and Form 1095-C (and related instructions).
These forms must have been filed with the IRS no later than Feb. 28, 2017 (March 31, 2017, if filing electronically). However, the IRS extended the due date for furnishing individual statements for 2016 an extra 30 days, from Jan. 31, 2017, to March 2, 2017. The IRS does not anticipate extending the filing or furnishing deadlines for 2017 reporting.
According to the IRS, information returns under Sections 6055 and 6056 may continue to be filed after the filing deadline (both on paper and electronically). Employers that missed the filing deadline should continue to make efforts to file their returns as soon as possible.
The IRS also previously released:
Q&As on Section 6055 and Q&As on Section 6056; and
A separate set of Q&As on Employer Reporting using Form 1094-C and Form 1095-C.
Please contact HealthSure for more information on reporting under Code Sections 6055 and 6056.
The Department of Labor (DOL) released a final rule that expands who is considered a “fiduciary” when providing investment advice to retirement plans and their participants. The rule also applies to individual retirement accounts (IRAs) and health savings accounts (HSAs).
After being delayed, the final rule became effective June 9, 2017.
Under the rule, a person is a fiduciary if the person receives compensation for providing investment advice with the understanding that it is based on the particular needs of the person being advised or that it is directed at a specific plan sponsor, plan participant or account owner. Fiduciaries may be held personally liable in the event of a fiduciary breach.
Individuals who provide advice on HSAs may be considered fiduciaries if their communications rise to the level of investment recommendations covered by the final rule.
Contact HealthSure for more information and guidance on this new rule.
The Department of Labor (DOL) has officially dropped its support for the new overtime rule. The rule, originally scheduled to take effect in December 2016, was halted by a federal court soon before its enactment.
The DOL plans to revisit the overtime rule and use a lower salary threshold. However, in the meantime, the DOL asked that the court validate its authority to determine salary thresholds to be used in future rules. It is uncertain what the new threshold might be.