HIPAA Privacy Requirements and Health Care Flexible Spending Accounts, Have Smaller Employers Forgotten Something?

Larry Grudzien J.D.,L.L.
March 19, 2008 — 3,180 views  
Become a Bronze Member for monthly eNewsletter, articles, and white papers.
Confusion and Noncompliance

45 CFR Section 164.530(k) provides an exception for many administrative safeguards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) if an employer sponsors a group insured health plan that does not create, maintain, or receive "protected health information" (PHI).  Under this exception, the group health plan is not required to maintain or provide privacy notices or comply with any of HIPAA's administrative safeguard provisions except for the prohibitions against intimidating or retaliatory acts and against requiring a waiver of HIPAA rights.  Because the insurance company providing the health benefits is considered a "covered entity", it must meet these HIPAA requirements.  This exception still applies even if the insurance company provides the employer sponsoring the health plan with summary health information and enrollment/disenrollment information.  

Because many small employers insure their health benefits, they did not concern themselves with these requirements and simply distributed the insurance company's privacy notices.  Many of these same employers also sponsor health care flexible spending account plans ("Health Care FSAs") for their employees. Under 45 CFR Section 160.103, a health Care FSA is considered a "group health plan" and is subject to HIPAA's administrative simplification provisions.  Because these plans are considered to be self-insured, the exception discussed above does not apply and they must comply with these rules.  If the Health Care FSA and the insured health plan are administered as one plan, the "entire" plan must comply with all of HIPAA administrative simplification requirements.

The only exception that applies to Health Care FSAs is contained in 45 CFR Section 160.103.  It provides that plans with under 50 participants that are self-administered are exempt from complying HIPAA's administrative simplification provisions. For purposes of determining the number of participants, a participant is defined under ERISA Section 3(7).  Under that section, a participant is defined as any employee or former employee of an employer, or any member or former member of an employee organization, who is or may become eligible to receive a benefit of any type from an employee benefit plan that covers employees of such employer or members of such organizations, or whose beneficiaries may be eligible to receive any such benefit.  If any employer of any size uses a third party administrator (TPA) to administer its Health Care FSA, it is outside the exception and must comply.

Responsibility for Compliance

Under 45 CFR Section 160.102, "covered entities" are responsible for complying with HIPAA's administrative simplification requirements. 45 CFR Section 160.103, defines covered entities as (1) health plans, (2) health care clearinghouses and (3) health care providers that conducts certain types of transactions in electronic forms. Because the employer's Health Care FSA is considered a "health plan, it is primarily responsible for compliance. It cannot transfer its responsibility to any other third party, including the insurance company, the sponsoring employer, or any TPA.

Penalties for Noncompliance


Under Social Security Act Section 1176, the Office for Civil Rights (OCR) of the Department of Health and Human Services may impose civil penalties for unintentional disclosure of PHI of $100 for each requirement of prohibition violated (up to a maximum of $25,000 per calendar year for each identical violations) on the covered entity.  This maximum amount figure relates to each separate type of violation. The amount of the penalty imposed on a "covered entity may be much higher because compliance failures would most likely involve violations of numerous HIPAA provisions.

Under Social Security Act Section 1177, the Department of Justice has the authority to impose criminal penalties if a person knowingly misuses a unique identifier or improperly obtains or discloses individual identifiable health information. These penalties may be imposed on both covered entities and business associates. As with other criminal provisions, the "knowingly" standard requires that the person have the requisite state of mind, i.e., knowledge of the fact that he or she is committing the act (but not necessarily that the act is a violation of law).

The criminal penalties include:

-A fine of not more than $50,000, imprisonment of not more than one year, or both, for knowing violations;

-If the offense is under false pretenses, a fine not to exceed $100,000, imprisonment of not more than five years, or both; and

-If the offense is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, malicious harm, a fine of up to $250,000, imprisonment of up to three years, or both.

HIPAA's Administrative Simplification Requirements

To comply HIPAA's administrative simplification requirements, covered entities must meet three primary components:

-Privacy Standards: These requirements address who is authorized to access information and the right of individuals to determine how their information is to be used or disclosed.

-Security Standards:  These requirements address the ability to control access and protect information from accidental or intentional disclosures to unauthorized persons or from unauthorized alteration, destruction, or loss.

-Transaction Standards: These requirements promote the standardization of certain payment-related electronic transactions.


Protected Health Information

HIPAA's administrative simplification requirements protect all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. 45 CFR Section 150.103 calls this information "protected health information (PHI)."

45 CFR Section 160.103 defines "Individually identifiable health information" as information, including demographic data, that relates to:

-the individual's past, present or future physical or mental health or
    condition,

-the provision of health care to the individual, or

-the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe that such information can be used to identify the individual. Thirteen individually identifiable health information includes many common identifiers (e.g., name, address, birth date, social security number).

45 CFR Section 160.103 excludes from the definition of protected health information,  employment records that a covered entity maintains in its capacity as an employer, and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act. [20 U.S.C. § 1232g]

Under 45 CFR Section 164.514(a), there are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either: 1) a formal determination by a qualified statistician; or 2) the removal of specified identifiers of the individual and of the individual's relatives, household members, and employers. This de-identified information is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.

Privacy Standard

Generally, under 45 CFR Sections 164.500 to 534, covered entities are prohibited from using or disclosing PHI for purposes other than treatment, payment, and health care operations.  Most other uses or disclosures may be made only after a specific authorization has been obtained from the affected individual.  The health plan may not disclose PHI to the employer sponsoring the plan unless certain privacy requirements are added to the plan document. Those third parties that contract with health plans and have access to PHI ("business associates") may not have access to PHI unless these requirements are written into business associate contracts.  HIPAA also requires that health plans maintain records of disclosures and provide individuals with access to their health information.

To meet this privacy standard, a covered entity must meet four core requirements:

-Use and Disclosure of PHI for Employment Purposes are Generally Prohibited: Covered entities are generally prohibited from disclosing PHI to employers other than for certain plan administrative functions.  An employer may receive summary information and enrollment information for certain defined purposes.

-Scope of Disclosures Limited: Disclosures of PHI are limited to the minimum amount necessary to achieve the permitted purposes (treatment, payment, or health care operations) of the disclosure.  The covered entity must establish procedures to ensure compliance with this requirement.

 Individual Rights:  Covered entities must provide individuals with a notice of the entity's privacy practices.  Individuals must be able to access their records and request changes, and have the right to receive an accounting of past disclosures that were not individually authorized.

-Administrative Safeguards: Covered entities must implement written privacy procedures and appropriate safeguards.  In addition, covered entities must designate a privacy officer, train employees, establish a process for which individuals to lodge complaints, and develop a system of sanctions for those who violate the rules.


As indicated above, disclosures for treatment, payment and health care operations are permitted without an individual authorization from participants and their covered dependents. For health care FSAs, this exception covers many of   its operations. 45 CFR Section 164.501 defines the terms, "treatment," payment and health plan operation as follows:

-"Treatment" includes the provision, coordination, or management  of health care and related services by or more health care providers including coordination of care by a provider with a third party, consultations between providers and referrals to other providers.

-"Payment" includes any activity undertaken to determine or fulfill its responsibility for providing benefits or to obtain or provide reimbursement for health care.  (For example, payment could include eligibility and coverage determinations, and adjudication or subrogation of claims and review of services with respect to medical necessity, coverage under the plan or justification of charges.)

-"Health care operations" include any activity compatible with and directly related to treatment or payment, (For example, health care operations could include internal quality review, medical review, legal services, auditing functions and general administration.)

The deadline for compliance was April 14, 2003.  If a covered entity is considered to be a "small health plan," the deadline was extended to April 14, 2004 by 45 CFR Section 164.534(b)(2). A "small health plan" is defined under 45 CFR Section 160.103 as a health plan with $5 million or less in annual receipts.  In determining how to determine "annual receipts," the Center for Medicare and Medicaid in the Q&As posted on its web site indicated the following:

-Fully-insured health plans: Fully-insured plans should use the amount of total premiums paid for health insurance in the plan's last full fiscal year.

-Self-insured health plans: Plans that are self-insured should use total amount paid for health claims during the plan's last full fiscal year.  This means claims paid by the employer, plan sponsor, or benefit fund, whichever is applicable.

-Plans with self-insured and insurance options:  Plans that provide health benefits through a mix of purchased insurance and self-insurance should combine the total premiums and total paid for health care claims in the plan's last full fiscal year.

Security standards

Under Social Security Act Section 1173(d), covered entities that electronically maintain or transmit health information and conduct electronic transactions must maintain reasonable and appropriate safeguards to ensure the integrity and the confidentiality of health information, to protect against threats to security or unauthorized uses or disclosures of information, and to otherwise ensure compliance with the security standards by their officers and employees.  In 45 CFR Parts 150, 162 and 164, the Department of Health and Human Services (HHS) has developed security standards to take into account the following: technical capabilities of record systems used to maintain health information, the value of audit trails in computerized record systems, and the needs and capabilities of small health care providers and rural health providers.

Covered entities are required to comply with these requirements by April 21, 2005. If the plan is considered a "small health plan" (as defined above), compliance date is April 21, 2006.

Transaction Standards

Under 45 CFR 162.900 to 925, covered entities (and their business associates)
that exchange data electronically regarding certain specified transactions with other covered entities must meet electronic data format requirements.  These rules are designed to standardize the electronic data interchange between these entities.  Any covered entity can request another covered entity to conduct a covered transaction in the required format.

Under 45 CFR Section 160.103, these transaction standards do not apply to all
electronic transactions, but only if they involve "covered transactions."  These "covered transactions" include:

-health care claims or equivalent encounter information;
-health care payment and remittance advice;
-coordination of benefits;
-health care claim status;
-enrollment and disenrollment in a health plan;
-eligibility for a health plan;
-health plan premium payments;
-referral certification and authorization;
-first report of injury; and
-health claims attachments.

Under 45 CFR Section 162.900, all covered entities must comply with these standards by October 16, 2002.  This compliance date was extended to October 16, 2003 for "small health plans" and for entities that filed compliance plans with HHS by October 15, 2002.

Compliance Steps

To meet HIPAA's administrative simplification requirements, the employer sponsoring the health care FSA, the health care FSA, and their business associates should consider completing of actions:

General Steps:

-Appoint a privacy officer.

-Designate a HIPAA compliance team, including representatives from HR, benefits, legal, information services, and accounting

-Review HIPAA's administrative simplification requirements to determine  how each requirement applies to the "covered entity," the employer sponsor, and any other third party that has a relationship to the plan

-Determine the extent that health information, individually identifiable information, and PHI is created, received, maintained, or disclosed

-Determine what disclosures relate to permitted uses and what disclosures do not

-Review the flow of health information and determine any "gaps" between actual operations and what is required under HIPAA.

-Identify all business associates


Specific Steps for the "Covered Entity"

-Implement plan amendments to restrict use and disclosure, to designate personnel with access to PHI, and to erect firewalls

-Draft formal HIPAA polices and procedures

-Allocate privacy responsibilities between the plan/plan sponsor personnel and TPAs to determine who will:

o Issue the Privacy Notice

o Enforce Individual Rights

o Be responsible for administrative obligations applicable to the plan as a covered entity

-Ensure that all third parties with access to PHI comply with business associate requirements.

Other concerns

-Ensure compliance with HIPAA's  transaction requirements

-Ensure compliance with HIPAA's security requirements

Final thoughts

Because of the complexity of the HIPAA's administrative simplification requirements, it is understandable that employers missed this requirement.  Over time, employers must comply and cannot ignore the requirements.  Because of the penalties involved, the various governmental agencies will be conducting audits.  Do you want to made an example of in this situation?  Remember Martha Stewart!

Larry Grudzien J.D.,L.L.