Guest Article

(From the Employer's Guide to HIPAA Privacy Requirements, Thompson Publishing Group)

HHS Still Undecided on Whether HIPAA Covers FSAs

Whether flexible spending accounts (FSAs) are "health plans" covered by HIPAA's administrative simplification rules has not yet been decided by the U.S. Department of Health and Human Services (HHS), according to a senior agency official.

"The department's legal staff is still wrestling with that issue," said Stanley Nachimson of HHS' Centers for Medicare and Medicaid Services. If FSAs are determined not to be health plans, they will not be "covered entities" subject to HIPAA's privacy or electronic data interchange rules, he noted.

Some outside experts on group health plans expressed surprise that HHS remains undecided. A general consensus exists among ERISA attorneys that FSAs are health plans covered by HIPAA, and HHS would have to add a specific exemption to the rules if it decided otherwise, according to Kathy Bakich, vice president and national director of health care compliance for The Segal Company in Washington, D.C. However, the Bush administration may be seeking to exempt FSAs, along with related arrangements such as medical savings accounts (MSAs) and health reimbursement arrangements (HRAs), as part of its policy of encouraging defined contribution health plans, she added.

"I find this whole debate absolutely puzzling," agreed Phyllis Borzi, an attorney with O'Donoghue and O'Donoghue in Washington, D.C. "ERISA lawyers have no doubt in their mind; I wonder what these health lawyers are telling [HHS]." FSAs, MSAs and HRAs are treated as health plans under HIPAA's portability provisions and are not specifically exempted under the administrative simplification provisions, she noted.

Nachimson, speaking at a Jan. 21 audioconference sponsored by the American Bar Association, declined to speculate on the factors being considered by HHS. "I'm not privy to the discussion of why the department is having so much difficulty," he said.

FSAs and HRAs raise many of the same privacy issues as conventional plans, said Joy Pritts, senior counsel for the Health Privacy Project in Washington, D.C., because they require participants to submit documentation of their health care in order to be reimbursed.

However, HHS does need to remedy an apparently unintended consequence of classifying FSAs as health plans, according to Mark Lutes, an attorney with Epstein, Becker & Green in Washington, D.C. "There are a huge number of employers that are insured but for their FSA," which is by nature not insured, he said. Under the rules as currently written, the FSA appears to disqualify these employers from the rules' "fully insured" exemption from notice and other administrative requirements, he said.

To fix this problem, HHS does not need to exempt FSAs from HIPAA's privacy rules altogether, Lutes said. Instead, the agency could simply create a "safe harbor" for group health plans that are removed from FSA administration, allowing the plan to delegate compliance with the administrative requirements to its third-party administrator, he said.

Borzi said she already is advising plan sponsors in this situation to make this delegation in their business associate contract with the FSA vendor. Both the privacy notice and the responsibility to respond to individual requests can be assigned to the recordkeeper this way, she said. Plan sponsor employees with access to protected health information still must be trained, but "that's a relatively minor burden," she said.

One difficulty with this strategy is the degree of "push-back from the recordkeepers," Borzi noted. "Some vendors have absolutely refused to take on that responsibility."

Reprinted with permission from the February 2003 newsletter of the Employer's Guide to HIPAA Privacy Requirements, © Thompson Publishing Group, Inc., 2002. All rights reserved.

BenefitsLink is an independent national employee benefits information provider, not formally affiliated with the firms and companies who kindly provide much of the content and advertisements published on this Web site, including the article shown above.