Recent HHS Guidance on the Treatment of
Flexible Spending Accounts under HIPAA
Prepared for the Coalition by Robert D. Belfort, of Manatt, Phelps, and Phillips, LLP.
May 9, 2003
Recently, the U.S. Department of Health and Human Services ("HHS") added a new item to the "frequently asked questions" section of its HIPAA web site that discusses the treatment of flexible spending accounts ("FSAs") under HIPAA. Although this information was intended to provide guidance to employers regarding the application of HIPAA to their group health plans, it has raised a number of questions that have not been fully addressed by HHS. This memo discusses the impact of the HHS guidance on the HIPAA compliance strategy of employer-sponsored group health plans.
The "Fully Insured" Exception for Group Health Plans
As explained in my March 12, 2003 memo to the Coalition, employee welfare benefit plans established under ERISA that provide or pay for the cost of medical care, referred to in the HIPAA Privacy Rule as "group health plans," are covered entities under HIPAA. The only exception is that group health plans covering fewer than 50 employees that are self-administered by the employer are not subject to HIPAA.
However, the Privacy Rule states that a group health plan is exempt from complying with virtually all of the Privacy Rule’s requirements if:
- The group health plan provides health benefits solely through an insurance contract with a state-licensed insurer or HMO; and
- The group health plan does not create or receive protected health information other than summary health information (e.g., aggregated data that does not facially identify individuals) and enrollment/disenrollment information.
Most small and mid-sized employers, including the vast majority of the Coalition’s members, purchase health insurance from insurers or HMOs rather than self-insuring (i.e., they are "fully insured") and do not receive protected health information in connection with administration of their group health plan. As a result, these organizations have generally assumed that they qualify for the "fully insured" exception to HIPAA described above.
Recent HHS Guidance on FSAs
Since the Privacy Rule was issued, there has been uncertainty as to whether FSAs constitute group health plans that are subject to the Privacy Rule. In a recent addition to the frequently asked questions section of its HIPAA web site, HHS stated:
To the extent that a flexible spending account or cafeteria plan meets the definition of an employee welfare benefit plan under ERISA and pays for the medical care, it is a group health plan, unless it has fewer than 50 participants and is self-administered ... Flexible spending accounts and cafeteria plans are not excluded from the definition of a "health plan" as excepted benefits.
FSAs generally qualify as employee welfare benefit plans under ERISA. Therefore, it appears that FSAs under which employees receive reimbursement for medical expenses are subject to HIPAA.
The Impact of the HHS Guidance
The primary concern triggered by the HHS guidance stems from the fact that FSAs are not provided through insurance contracts with HMOs or insurers; indeed, they are not insured at all. Therefore, as a result of the HHS guidance, employers that operate FSAs and previously assumed they qualified for the "fully insured" exception to the Privacy Rule because their medical, dental and vision benefits are provided through insurance contracts are now questioning whether they, in fact, fall within the exception. If they do not qualify for the "fully insured" exception, employers will have to issue privacy notices, appoint a privacy officer and take other HIPAA compliance steps with respect to their group health plans.
One area of confusion is whether the operation of an FSA requires an employer to ensure HIPAA compliance with respect to all of its health benefit programs or only the FSA. Underlying this confusion is the question of whether the FSA is its own group health plan or part of a larger group health plan that includes all of the employer’s health benefit programs. If the FSA is its own group health plan, an employer must comply only with respect to the FSA; if not, the employer must comply with respect to all of its health benefit programs.
HHS has not provided any guidance on whether different health benefit programs maintained by the same employer constitute a single group health plan or multiple group health plans. It is worth noting that the Privacy Rule permits different group health plans maintained by the same employer to designate themselves an "organized health care arrangement" for HIPAA compliance purposes. This suggests that the simple fact different health benefit programs are maintained by the same employer does not mean the benefit programs constitute a single group health plan. However, the organized health care arrangement provisions do not suggest the contrary, i.e., that multiple benefit programs are automatically separate group health plans under HIPAA.
In the absence of guidance from HHS, employers may wish to use the Form 5500 filed with the U.S. Department of Labor under ERISA as a guide in determining whether different benefit programs are part of the same group health plan. For example, if an FSA is included in the same Form 5500 as the employer’s other health benefits, the employer could conclude that all of the benefit programs, including the FSA, are part of the same group health plan. In contrast, if a Form 5500 covers only the FSA, the FSA could be viewed as its own group health plan. While this approach seems reasonable, particularly in light of statements by HHS that it will look to ERISA principles in applying HIPAA to group health plans, HHS has not formally stated that it will follow the above analysis.
The "50 Participants" Exception
As indicated above, a group health plan is not a covered entity under HIPAA if it covers fewer than 50 individuals and is self-administered by the employer. Given the fact that many employees choose not to participate in FSAs, it is possible that the FSAs of smaller organizations may cover fewer than 50 individuals.
However, in determining whether an FSA covers fewer than 50 individuals, employers will again have to assess whether their FSA is part of the same group health plan as the employer’s other health benefit programs. If the FSA and the other benefit programs are part of the same group health plan, the exception would not be satisfied unless none of the benefit programs had 50 or more participants.
Moreover, the "50 participant" exception applies only if the group health plan is self-administered. If the employer, as is usually the case, directs employees to submit reimbursement claims to a third-party administrator, the FSA does not meet the self-administration test and does not qualify for the exception. In addition, if the FSA is part of the same group health plan as other benefit programs, the exception would not apply unless all of these programs were self-administered, which is rarely the case.
Opportunity to Defer Compliance
Even if an FSA does not fall within the "50 participant" exception, employers may have additional time to bring their FSAs into compliance if the FSA qualifies as a "small health plan" under HIPAA. A small health plan is any health plan that has annual receipts of $5 million or less. Small health plans have until April 14, 2004 to comply with HIPAA.
Given the relatively modest amounts most employees contribute to FSAs, only large employers are likely to operate FSAs whose annual receipts exceed the $5 million level. However, employers will once again have to confront the issue of whether the FSA is part of the same group health plan as the employer’s other health benefit programs. If it is, the receipts of all of these benefit programs would have to be aggregated for purposes of applying the small health plan test.
The Possibility of Further HHS Guidance
It is possible that HHS may issue further guidance regarding the effect of an FSA on a group health plan’s qualification for the "fully insured" exception as well as the application of the "50 participant" and "small health plan" tests to multiple health benefit programs offered by an employer. HHS may also be pressured to amend the Privacy Rule by expanding the "fully insured" to cover uninsured benefits such as FSAs. This would reverse the presumably unintended consequence of subjecting group health plans that do not self-insure to all of the HIPAA requirements. However, until further clarification is issued or the Privacy Rule is amended, many employers will have complicated decisions to make about how to treat their group health plans for HIPAA compliance purposes.
If you have questions, please contact Patricia Gallo Goldstein at patgg@cvmha.org or 212-742-1600 ext 106 or Karyn Krampitz at kkrampitz@cvmha.org or 212-742-1600 ext 210.
|
