Health FSAs: When do HIPAA’s Requirements Apply?

Author: Andrew Wilson, Regulatory and Legislative Specialist, Hays Companies

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to improve the health care delivery system. Because a Health FSA (HFSA) is technically a health plan, HIPAA’s requirements related to privacy and security (which are referred to as HIPAA’s Administrative Simplification provisions) apply to most HFSA’s. The exception to these requirements is for plans that are self-administered by small employers (covering fewer than 50 participants)—otherwise, HIPAA applies.

What are HIPAA’s Administrative Simplification Provisions and what do they do?

These provisions outline: (1) privacy standards, (2) security standards, and (3) electronic data interchange (EDI) standards for the exchange of electronic data between health plans and health care providers.  With most HFSAs, however, there is no EDI exchanged between the plan and the provider, so for purposes of this discussion we are focusing on the privacy and security standards.

Hays Compliance is commonly asked: Why should the plan sponsor worry about these policies and procedures when we hired a TPA to administer our plan? Frankly, while many employers choose to utilize a TPA, employers can at any time end their relationship with their TPA and take the administration of HFSAs in-house. As a result, it’s important for the plan sponsor to at least be aware of the implications and requirements put forth by HIPAA.

Privacy Standards

Essentially, HIPAA’s privacy standards restrict the use or disclosure of protected health information (PHI). This includes use or disclosure by health plans—including HFSAs—as well as other covered entities and third-party business associates.

PHI is broadly defined as individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records.

Under HIPAA, the use and disclosure of PHI for employment purposes generally is prohibited. This means that covered entities (including HFSAs) generally may not disclose PHI to employers. An exception may apply if the PHI is disclosed to perform an administrative function (and, even then, the plan document must be amended to limit additional disclosures and require certain safeguards). Summary information and de-identified PHI (with all elements of identifying information removed), however, can be disclosed to an employer for certain purposes.

Likewise, business associates also may not be given or have access to PHI unless the business associate contract contains certain provisions that comply with HIPAA. HIPAA also requires that HFSAs maintain records of certain disclosures and provide individuals with access to their PHI.

In addition, HIPAA limits the scope of any disclosure of PHI to the minimum amount necessary to achieve the permitted purpose. Disclosure of PHI is permitted without authorization for treatment, payment, or health care operations (TPO). This is sometimes referred to as HIPAA’s “minimum necessary” standard.

HFSAs must establish HIPAA privacy and security policies to ensure that PHI is protected.  The plan must identify a privacy official who is responsible for ensuring that proper procedures are in place. Such procedures must be followed if there is any breach or unauthorized disclosure of PHI.

HIPAA also mandates that HFSAs provide individuals with a Notice of Privacy Practices, which outlines individuals’ rights under HIPAA. Individuals must be able to access their records and request changes. Those individuals also have the right to access information about certain disclosures of their PHI.

Even for those employers utilizing a TPA, it’s generally a good idea to identify someone in the privacy documents as a privacy official in the event that the plan sponsor (the employer) gets involved because the TPA denies a claim or another similar issue arises.

Security Standards

In addition to meeting HIPAA’s privacy standards, HFSAs must generally also meet HIPAA’s security standards. Under HIPAA, covered entities that electronically maintain or transmit PHI or conduct electronic transactions must maintain safeguards to ensure the integrity, availability, and confidentiality of electronic health information (ePHI), to protect against threats to security or unauthorized uses or disclosures of ePHI, and to otherwise ensure compliance with the security standards by their officers and employees. The security requirements also apply to business associates.


Because they are health plans, HFSAs must comply with the privacy and security mandates put forth by HIPAA. HIPAA generally prohibits the use and disclosure of PHI for employment purposes, and, in situations where limited disclosure is authorized, HIPAA limits the scope of that disclosure to the minimum amount necessary to achieve the purpose of the disclosure. HFSAs are also required to establish privacy and security policies to ensure that PHI is protected, including identifying a privacy official who is responsible for ensuring that proper procedures are enacted and followed in the event of a breach. Finally, HIPAA requires that HFSAs provide individuals with a Notice of Privacy Practices, which outlines their rights to access their records (including records related to the disclosure of PHI), and request changes.

This document is provided for general information purposes only and should not be considered legal or tax advice or legal or tax opinion on any specific facts or circumstances. Readers are urged to consult their legal counsel and tax advisor concerning any legal or tax questions that may arise.

Interested in more compliance updates? Connect with us today: