As March approaches, employers who sponsor group health plans face two critical compliance deadlines. These requirements involve Medicare Part D reporting and HIPAA breach notifications, each carrying distinct obligations for plan sponsors. Both of these deadlines fall on March 1st.
Medicare Part D Creditable Coverage Reporting
Employers sponsoring group health plans face important deadlines. By March 1, 2025, the annual Medicare Part D creditable coverage disclosure must be submitted to the Centers for Medicare & Medicaid Services (CMS).
This electronic submission requires detailed information including:
- Company identification details and contact information
- Specifics about prescription drug coverage options
- The number of Medicare-eligible participants in each plan
- Creditable coverage status for each prescription drug option
Plan sponsors should note that any changes to prescription drug coverage or creditable coverage status must be reported to CMS within 30 days of the modification.
HIPAA Breach Reporting Requirements
The March 1 deadline also applies to reporting certain HIPAA breaches that occurred during 2024. Specifically, group health plans (and other covered entities and business associates) must report small breaches—those affecting 500 or fewer individuals—to the Department of Health and Human Services’ Office of Civil Rights (OCR) through their online portal.
While third-party administrators may assist with the reporting process, employers with self-funded plans retain ultimate responsibility for ensuring timely compliance.
The reporting framework includes additional requirements based on breach severity:
- For breaches affecting over 500 individuals, plans must notify both affected individuals and HHS within 60 days of discovery
- When a breach impacts more than 500 residents of a single state, plans must also alert prominent media outlets serving that state within the same 60-day window
- All affected individuals must receive notification within 60 days, regardless of breach size
As these deadlines approach, employers should review their reporting obligations and ensure they have gathered all necessary information for timely submissions. Maintaining compliance with these requirements helps protect both the organization and its plan participants while avoiding potential regulatory consequences.
