I work for a local county government and we have a FSA that is not a part of a cafiteria plan. The FSA is fully funded by employee payroll deductions. It seems to me that we are not paying for or providing health care as defined in HIPAA. Does anyone have any thoughts, suggestions or guidence to offer regarding whether this needs to be covered by the privacy regulations of HIPAA.

I’ll take a stab at this from what I understand.

If you, as the employer are processing the FSA claims then you may be receiving PHI and I would say you might be a covered entity under the HIPAA privacy rules.

If, on the other hand, you have a TPA processing claims then you need to make sure that you have an agreement with them that covers their use of PHI under HIPAA.

As currently defined, FSAs are "covered entities" under HIPAA. Kip's statement that:

"If you, as the employer are processing the FSA claims then you may be receiving PHI and I would say you might be a covered entity under the HIPAA privacy rules."

Is close, but not entirely accurate. An employer is not a covered entity. The plan is the covered entity. It is vitally important that a plan sponsor separate these two functions. PHI obtained by the FSA should not be disclosed outside the FSA. You should "firewall" employees who perform services for the FSA to ensure that unlawful disclosures do not occur.

However, most stand-alone FSAs will be "small health plans" under HIPAA, and have an extended compliance date (April 14, 2004).

HHS has made some rumblings about possibly exempting some FSAs from HIPAA, but there has been nothing official released yet.

Also, Kip's statement seems to imply that if a TPA is handling the claims (as is likely the case), the employer need only be concerned with amending business assoicate contracts. This is not the case.

Regardless of who processes the claims, the FSA will not be a self-insured plan, which means that HIPAA requires that notices be provided by the employer to FSA participants, and other firewall protections, including plan amendments, may need to be implemented by the employer.

Agreed, except I think you meant that the FSA WILL be a self-insured plan.

Yes, sorry about that. What I meant to say was that the FSA will not be considered a FULLY insured plan.

O.K. so we have determined that the FSA is a small health plan and as such we can take advantage of the one year extentions for privacy. My next question then is do we need to change the way that we receive the information from the employee? We currently receive the request for reimbursement form and supporting receipts either directly from the employee in person or from the employee via inter-office mail.

I thought that our responsability was once we received the PHI not how it gets to us? Any help or guidence to the regulation language would be greatly appreciated.

Thanks,
John

In addition to the administrative requirements discussed above, you will have to ensure that the individual who receives the information is appropriately trained to utilize PHI solely for permitted purposes for the FSA, and that the information does not migrate to the employer or other benefit plans.

There is nothing in HIPAA preventing you from receiving the information in the manner you describe, so long as PHI is adequately protected at all stages.