[ Wednesday, March 10, 2004 ]
FSAs under HIPAA:
Many companies these days have Flexible Spending Plans or FSAs, which allow employees to contribute some of their salary pre-tax into an account that can then be used by the employee to pay for off-plan medical costs. In other words, an employee puts away money, pre-tax, into the FSA, and things like eyeglasses that aren’t covered by the insurance plan can be paid out of the FSA. Recently, federal law was changed to allow payment of over-the-counter drugs out of an FSA, which should increase their appeal.
There has always been some concern and confusion over whether FSAs are health plans (and therefore covered entities) under HIPAA. The consensus opinion is that they clearly meet the definition of “health plan” under HIPAA, even though there isn’t the usual concern about protecting the privacy of medical records that exists where a full-blown group health plan operates. Additionally, there are a number of companies that operate FSAs with a third party administrator (TPA) who receives requests for payment, vets them and processes the payments. In those cases, the employer only knows the amount of money paid into the plan, and never sees any real PHI (doesn’t see what the money is spent on, or even if the money is spent at all). It doesn’t make any sense that the full obligations of HIPAA should devolve on these plans. However, making sense isn’t a primary goal of HIPAA.
If you have an FSA, your best bet is to do the minimum necessary to comply with HIPAA. If you have a group health plan other than the FSA, piggy-back on your HIPAA efforts with the group health plan: if you can combine them, consider doing so. If you can’t combine them or don’t want to, use the same documents, plan amendments, and policies and procedures you use with your group plan; change the names to the FSA name, send out notices of privacy practices to the FSA participants, etc.
Frequent readers of this blog (or folks who have heard me give HIPAA speeches) know that if anything, I’m anti-alarmist on HIPAA. Many, many folks have made rather large sums of money by getting their clients terrified of what HIPAA might do to them; I’ve tried to keep a level head, perhaps to my own financial detriment. If you have an FSA and use a TPA, there’s virtually no risk at all that you might improperly disclose PHI, which is the primary reason for HIPAA in the first place. Because of that, you might want to consider the potential (very low) risks of a real HIPAA violation by your FSA against the costs of getting your FSA in compliance. It might be that you decide to just run the risk. You should know, however, that there is a real risk in not getting your FSA in compliance. That risk doesn’t stem from a possible damaging leak of PHI, but rather from a disgruntled employee who might use a claim of non-compliance by the FSA as leverage to prevent termination (remember there are prohibitions on retaliating against a complainant), or some other rabble-rouser seeking to cause you trouble. Weight that possibility against the cost of getting your FSA in HIPAA shape. It shouldn’t be too costly to do so (be very concerned about lawyers or consultants who want to drag you over all the hurdles in getting your FSA in shape; it shouldn’t be that hard, especially if you’ve already got your regular group health plan in HIPAA shape).
Jeff [3:31 PM]
Blogger: HIPAA Blog - Edit your Template