• The Basics

    The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains rules designed to protect the confidential medical information of patients and health plan members. The rules apply to Covered Entities and Business Associates. Medical providers, insurance companies and employer sponsored health plans are all potentially HIPAA Covered Entities.

    This tool is designed to assist employers that sponsor fully-insured group health plans that are administered by an insurer, for which the employer receives only limited information and in which it has limited involvement, alongside a Section 125 Health Flexible Spending Account (HFSA) that is administered by an outside organization such as a Third Party Administrator (TPA). The Department of Health and Human Services (HHS) has made it clear that a HFSA is a medical plan subject to the HIPAA Privacy & Security Rules.  Before addressing these rules as they apply to an HFSA, let’s first review the basics of each rule.

    1. The HIPAA Privacy Rule is designed to protect the privacy of an employee’s individually identifiable health information related to the health plan(s) the employer sponsors. HIPAA calls this information Protected Health Information (PHI). Employers often also have access to employees’ individually identifiable health information due to employment issues such as FMLA, Workers Comp, pre-employment physicals, etc. Employment-related medical information is not subject to HIPAA (but other laws such as the ADA may apply).

    2. When an employer sponsors a fully-insured plan for which it receives only limited information and has limited involvement, many of HIPAA’s privacy requirements don’t apply (see more on this below, under “Special Rules for Fully-Insured Plans”).

    3. Section 125 HFSAs are considered self-funded health plans. Unlike the fully-insured plans described above, in order to comply with HIPAA, the HFSA must meet a series of requirements, even if the employer receives little or no individually identifiable data from their TPA.

    4. There are several privacy standards or rules that may apply to a Covered Entity. A Covered Entity must have written policies and/or procedures to address these standards.

    It is important to realize that HIPAA considers the employer’s health plans, including the HFSA, to be separate entities from the employer. The employer act as the plan sponsor and may have plan administration responsibilities under ERISA. However, the plan itself, not the employer, is the Covered Entity under HIPAA.

    One of the causes for confusion is that typically the plan itself has no actual employees. The staff of the plan sponsor (the employer) operates the plan.  If the plan hires a TPA to actually perform the day-to-day administration and claims processing for the plan, this other entity is considered a Business Associate.

    Utilizing a Business Associate may simplify the role of the employer, but it does not change its compliance responsibility under HIPAA.The HFSA is still the Covered Entity.  The employer (as the plan sponsor) is still responsible for the compliance of the plan, even though the TPA as Business Associate may in reality be handling most of the plan’s PHI. 

    HIPAA allows certain multiple Covered Entities to operate as a single arrangement called an Organized Health Care Arrangement (OHCA) for HIPAA policy and procedure purposes (45 C.F.R. §160.103).  This includes one or more group health plans each of which are maintained by the same plan sponsor.  The policies and procedures in this tool are designed to cover all plans sponsored by the employer (both the fully-insured plans and the HFSA) under the OHCA “umbrella.”

    Covered Entities are also required to comply with the HIPAA Security Rule. The Security Rule is designed to protect what is referred to as electronic Protected Health Information (ePHI), which is PHI that is transmitted or stored electronically by or on behalf of a Covered Entity. 

    Examples of ePHI include:

    • Emailed claim reports containing individually identifiable data such as names, ID numbers, etc.
    • Online member data accessed by the employer’s health plan (other than for enrollment purposes).
    • Claims or enrollment reports downloaded and stored on the employer’s shared network folder.

    The Security Rule contains several standards that must be addressed by a Covered Entity. The first step every employer must complete to perform a Risk Analysis to identify what ePHI its plans use, maintain, and transmit, and what security measures are currently in place with respect to such information. The Risk Analysis is used to help identify and document the policies and procedures it follows (or will follow) to safeguard its ePHI. The Risk Analysis is incorporated into the policies and procedures. It should be reviewed carefully to ensure that it accurately reflects the employer’s understanding regarding its ePHI.

    If an employer operates its fully insured plans in a way that meets certain guidelines, the employer can avoid most of the HIPAA privacy requirements for those plans, and the HIPAA security requirements may be simplified significantly. To qualify for this special treatment and employer must meet these standards:

    • The employer can receive only “Summary Health Information” from the insurer. Summary Health Information is claims data that has all individual identifiers, except for limited geographical information, removed. For example, a claim report that lists the highest claims incurred by a plan by employee ID number is not Summary Health Information. On the other hand, a claim listing that simply lists the 5 highest claims by amount paid but contains no name, ID number, address, etc. typically qualifies as summary data.

    • The employer’s plan is also allowed to use and disclose enrollment and disenrollment information for plan operation purposes. This can include some identifiable information such as name, birth date, hire date, age, etc. necessary to enroll or terminate the individual from the health plan.

    Once again, this tool is designed for employers who sponsor only fully-insured plans as described above, except for a Section 125 HFSA. If the plan sponsor offers other plans subject to HIPAA, additional compliance obligations may exist and the sponsor should consult with their advisor.