self Administered FSA Plans and HIPAA?

[Guest SOLOHR]

• We have a fully funded HSA plan with a limited FSA.
  
• We also have a PPO with a regular FSA plan that employees can choose if they don't qualify for the high deductible plan.
  
• Currently, have a little less than 50 employees, but that number does go up and is expected to go up to over 100 in the next few years.
  
• The company self administers the FSA plan. What HIPAA issues do you see?
  

Thanks for the help...

[LRDG]

Medical and Dependent Care FSAs are not subject to HIPAA.

Medical FSA is subject to COBRA, most often for EEs terminating employment w/available Medical FSA funds. A qualified beneficiary the result of divorce eligible for Medical FSA participation, in practical terms doesn't have benefit of a salary reduction arrangement for funding their Medical FSA. Therefore the COBRA Medical FSA is funded with after tax contributuions, reimbursements subject to claims substantiation, no W-2 form reduction in income, and are in addition subject to the 2% administration fee. In this example there is little incentive for a COBRA beneficiary to participate in a Medical FSA.

HIPAA and COBRA relate to protection of rights to medical coverage and do not apply to Dependent Care FSAs.

[KJohnson]

Medical FSAs are subject to HIPAA privacy and security unless you have under 50 participants and self-administer.

A participant is defined as any employee or former employee of an employer, or any member or former member of an employee organization, who is or may become eligible to receive a benefit of any type from an employee benefit plan that covers employees of such employer or members of such organizations, or whose beneficiaries may be eligible to receive any such benefit. Thus folks who are eligible but don't reduce their salary are counted.

If any employer of any size uses a third party administrator (TPA) to administer its Medical FSA, it is outside the exception and must comply.

[GBurns]

SOLOHR

I suggest that you do a Google search using "medical FSA HIPAA". You will get many explanations, some with cites, of when medical FSAs are subject to HIPAA etc. This should clarify the issue for you.

Pay attention to the under 50 participants requirement, the definition and how and when they are counted. Note that it is eligible participants not employees.

[LRDG]

I considered Credible Coverage and pre-ex, completely overlooking privacy and security related issues.

Link to HIPAA Final Regs., issued December 30, 2004 in Federal Register:

http://www.dol.gov/ebsa/regs/fedreg/final/2004028112.pdf

[lvena]

I'd like to comment about the future for you, since you mentioned in your post that the group intends to grow and will be over 50 lives soon.

The HIPAA requirements are easy to find and understand, but can be difficult to implement and abide by. Depending on your company structure and resources, only you can make a judgement about self administering or contracting it out. For example, if your company is a Third Party Administrator, working in the FSA and HSA markets already, my guess is that you could easily self-administer. If your company is a manufacturing firm, with minimal HR staff/resources, it might be a little more difficult.

Good luck.