FSAs are "group health plans" as defined in HIPAA, because they are employee welfare benefit plans under ERISA and they pay for medical care. Therefore, they are "covered entities" under HIPAA's privacy, security and electronic data interchange (EDI) rules. While most ERISA specialists had advised clients that FSAs should comply with the rules, HHS had publicly stated that it was still considering whether FSAs should be covered entities. Since most FSAs had been excepted from the HIPAA portability provisions, based on guidance issued in December 1997,* it was possible that HHS was considering also excepting them from the privacy rules. However, the agency has not done so.

All group health plans, including FSAs, that are self-administered and have fewer than 50 participants are not covered by HIPAA. In addition, those small health plans with annual receipts of less than $5 million have until April 14, 2004 to comply. Employers should consult with their legal counsel with respect to whether their benefit programs meet the small health plan definition. Factors may include whether the FSA and the other health plans offered by the employer are considered one "plan" and file one Form 5500, or whether they are treated as separate "plans."

Employers that sponsor fully insured health benefit programs and do not use protected health information (PHI) have fewer HIPAA privacy compliance obligations than do employers that use PHI or are self-insured. However, if an employer with a fully insured plan also sponsors an FSA, the employer must comply with the privacy rules for that FSA in the same manner that it would for a self-insured benefit program. For example, the FSA documents must be amended, a Notice of Privacy Practices must be distributed, business associate contracts must be obtained and policies and procedures must be implemented to protect PHI.

Employers must also prepare to comply with the security rules by April 21, 2005. This will require a risk assessment and implementation of security policies and procedures to assure that electronic PHI is safe. Employers may wish to ask their administrator or human resources information system vendor to provide them with information now about how FSA claims information is safeguarded.

The EDI rules are generally effective October 16, 2003. Most FSAs have no EDI issues because they are only reimbursing individuals. However, if there are any direct exchanges between health care providers and an FSA, employers should consult with legal counsel regarding whether the EDI rules are implicated.

Many employers and their FSA administrators had already begun privacy and security compliance programs. Those that have not should consult with their professional advisors as to whether compliance is now necessary.

Complete Text of the FAQ

The complete text of the FAQ follows. It is available in the Health Information Privacy FAQ list that can be found at www.hhs.gov/ocr. There is no citation for this FAQ. However, there is a search tool on the HHS Web site that can be used to look for this FAQ.

Question: Is a flexible spending account or a cafeteria plan a covered entity for purposes of the Privacy Rule and the other HIPAA, Title II, Administrative Simplification standards?

Answer: A "group health plan" is a covered entity under the Privacy Rule and the other HIPAA, Title II, Administrative Simplification standards. A "group health plan" is defined as an "employee welfare benefit plan," as that term is defined by the Employee Retirement Income Security Act (ERISA), to the extent that the plan provides medical care. See 42 USC §1320d(5)(A) and 45 CFR 160.103. Thus, to the extent that a flexible spending account or a cafeteria plan meets the definition of an employee welfare benefit plan under ERISA and pays for medical care, it is a group health plan, unless it has fewer than 50 participants and is self-administered. Employee welfare benefit plans with fewer than 50 participants and that are self-administered are not group health plans. Flexible spending accounts and cafeteria plans are not excluded from the definition of "health plan" as excepted benefits. See 45 CFR 160.103, paragraph (2)(i) of the definition of "health plan."