HIPAA Privacy Rule and Health FSAs

[Guest SCUDDESLER]

It is my understanding that, a health FSA is exempt from HIPAA if coverage under the health FSA does not exceed the greater of:

(1) $500 more than the participant's elective contribution; or

(2) Twice the participant's elective contribution; and

(3) The covered person has other group health coverage available (and that other coverage is not exempt from HIPAA).

Assuming that all of the contributions to the health FSA are employee contributions, there are more than 50 participants in the health FSA and/or it is not self-administered and the employer also sponsors a fully insured medical plan (which is subject to HIPAA), are the employer's only obligations under the HIPAA Privacy Rule to comply with the no retaliation and waiver requirements and amend plans documents (i.e., the employer's group health plans are not "covered entities")? Even if the health FSA were a covered entity, would the medical plan a covered entity (assuming that the employer only receives summary and enrollment information)?

[Guest carsca]

The exception you cited for health FSAs is designed to exempt FSAs from the portability rules of HIPAA.

It appears that HIPAA's privacy rules apply to all FSAs.

[Steve72]

Carsca is right.

However, there have been some rumblings that HHS is considering exempting FSAs from the privacy requirements.

As far as the second part of SCUDDESLER's question, a fully-insured medical plan is a covered entity. Such plans are exempted from most of the administrative requirements of HIPAA (e.g., appointing a privacy officer). The sponsor will still need to enter into business associate contracts with business associates and amend documents.

As an aside, the empolyer should carefully review its practices to ensure that no PHI beyond SHI is received. In my experience, many employers who make this assertion are unaware of the activities of their own HR or benefits employees.

[Guest carsca]

Correct me if I'm wrong, Steve72, but what you are saying in other words is that a fully-insured health plan that receives PHI that is not SHI or enrollment information must comply with HIPAA's administrative requirements (i.e., it must appoint a privacy officer).

[Steve72]

That is correct, see Section 164.530(k)(1)(ii) of the Privacy Rule.

Additionally, if the employer receives PHI beyond SHI or enrollment, it should review the purposes for which the PHI is utilized. Even though employers are not subject to HIPAA's sanctions, the fact that an amendment has been made to the plan would make any non-HIPAA compliant use a violation of ERISA.

I've always thought that little end-around was a clever move by HHS.

[Guest carsca]

I'm not sure I understand what you mean. What section of the Privacy Rule regs trigger ERISA protection?

[Steve72]

The regs require that a plan document be amended to state that the plan will only disclose PHI to the employer once it receives a certification from the employer that the PHI will be used for limited purposes.

Causing the plan to disclose PHI to the employer, which is then used by the employer for purposes that would not be permitted by HIPAA, is arguably a failure to follow plan documents.

[Guest carsca]

That IS sneaky...

[Steve72]

.....That's your Federal government.