Over the past year, employers have been assessing the impact of the privacy regulations issued under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") on the operations of their health plans. For many health plans, compliance with these regulations did not require significant efforts, and the initial deadline—April 14, 2003—passed without incident. Now, a new HIPAA deadline is approaching, and employers must consider the impact of the privacy regulations on a less-obvious health plan—the health flexible spending or medical reimbursement account ("FSA").
HIPAA’s initial compliance deadline affected "large" health plans (i.e., those with more than $5 million in annual claims payments or premiums), while the second deadline—April 14, 2004—affects most other health plans. Regardless of their size, the extent to which health plans must take affirmative steps to comply with HIPAA is determined mainly by how they are funded. When health plan benefits are paid on a "fully-insured" basis (i.e., through a contract with a health insurer or HMO like Blue Cross or Kaiser Permanente), HIPAA compliance responsibilities are usually minimal. However, "self-funded" health plans (i.e., those whose benefits are paid out of the employer’s general assets) are subject to the full litany of compliance responsibilities imposed by HIPAA.
Thanks to the interaction of HIPAA’s definition of "health plan" and the manner in which FSAs are (self) funded, most employers will be required to take action to ensure their FSAs are in compliance with HIPAA.
What does HIPAA compliance for FSAs entail? HIPAA imposes three primary requirements on FSAs (and self-funded health plans generally): (1) the FSA must adopt procedures to allow participants to exercise their rights of access and amendment and to request an accounting of disclosures of their "protected health information" ("PHI") and must provide a notice describing these rights; (2) the employer must amend the FSA documents to incorporate various provisions that obligate the employer to handle any PHI it receives from the FSA in accordance with HIPAA; and (3) the FSA must implement a series of administrative safeguards to ensure that the PHI it generates will be handled appropriately. In addition, if an FSA is administered or otherwise serviced by third-party vendors, it may be necessary for the employer to negotiate "business associate" agreements with them on behalf of the FSA.
There is a fair amount of complexity involved in each of these requirements, but the main tasks facing FSAs and employers under HIPAA are summarized below:
- Appointment of a privacy officer for the FSA
- Adoption of privacy policies and procedures
- Training of staff who work with the FSA
- Adoption of amendment incorporating required HIPAA provisions into the FSA
- Implementation of a "firewall" to separate employees with approved access to PHI from other employees
- Distribution of notice of privacy practices adopted by the FSA
- Negotiation and implementation of appropriate agreements with FSA vendors
The deadline for accomplishing all of these tasks for most FSAs is April 14, 2004 (larger FSAs were required to be compliant on April 14, 2003).
Because FSA administration is often outsourced, employers typically have little involvement in the day-to-day operations of their FSAs and almost no need to handle PHI generated by them. In addition, almost all of the PHI handled by FSAs (or their administrators) is supplied by employees rather than health care providers or insurers. The HIPAA privacy rules were not tailored to address standard FSA administrative practices, and, as a result, many of the foregoing requirements will fit imperfectly with those practices. Ultimately, however, HIPAA compliance for most FSAs will require the preparation of a substantial amount of documentation but is not likely to significantly impact their actual operations.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved
