Chaz Posted September 3, 2008 Posted September 3, 2008 Can a service provider who provides HSA debit cards and other HSA administrative services be a business associate of a group health plan under HIPAA? Practically, the answer should be yes, but is the service provider providing payment or health care operations on behalf of the plan? I'm not so sure. [CROSS POSTED TO HSA BOARD]
masteff Posted September 8, 2008 Posted September 8, 2008 It appears the answer depends in part on how the employer's relationship to the HSA provider is structured. The DOL says it's not an ERISA plan: http://www.dol.gov/ebsa/regs/fab_2004-1.html#section1 But the HIPAA rules might still catch it as explained here: http://www.kilpatrickstockton.com/publicat...EBlegal3.26.pdf On a more current note, the US Chamber is lobbying to get HSA's excluded from HIPPA: http://www.uschamber.com/issues/index/health/hsa.htm What does your HSA provider say? Kurt Vonnegut: 'To be is to do'-Socrates 'To do is to be'-Jean-Paul Sartre 'Do be do be do'-Frank Sinatra
Chaz Posted September 9, 2008 Author Posted September 9, 2008 It's not really the provider's problem because in any event it is not a covered entity. It is the plan that is balking. I saw that K&S alert but I was wondering if there has been anything since then. Thanks.
masteff Posted September 9, 2008 Posted September 9, 2008 It's not really the provider's problem because in any event it is not a covered entity. My thinking is the provider has more than one client so they've been down the road before and surely have their own opinion. How many companies do they offer the service to? Personally, I'd ask them to sign and if they refuse then make them put in writing why not. It's safer for the employer to have the provider sign. And US Chamber site is current and they for sure think it's an open issue. The 2006 legislation that made changes to HSA's certainly did nothing to address this. Kurt Vonnegut: 'To be is to do'-Socrates 'To do is to be'-Jean-Paul Sartre 'Do be do be do'-Frank Sinatra
Chaz Posted September 9, 2008 Author Posted September 9, 2008 The HSA world is kind of the wild wild west out there. There are so many issues, this being one of them, that I don't think were contemplated when HSAs were created. I find a lot of administrators, plans, and providers are flying by the seat of their pants. An overriding issue is, if the administrator is NOT a BA, can the plan provide PHI to the administrator under HIPAA without the participants' authorization (because the plan is not disclosing the information for TPO purposes). If the administrator is not a BA, then a BA agreement won't help, don't you think?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now