HIPAA / HITECH Compliance Kit for Medical FSAs and HRAs

In January 2013, HHS issued significant new HIPAA regulations. The primary purpose of the regulations is to implement the 2009 HITECH amendment to HIPAA. In addition, HHS released new sample business associate agreement provisions. Employers need to update their prior HIPAA compliance efforts in response to the new regulations.

Reason for Medical FSA / HRA Only Kit
There are some important exceptions to the HIPAA privacy rules. First, under the “fully-insured” or “hands off” exception, if an employer’s health plan is fully-insured and only enrollment/disenrollment information and summary health information (with the identifying information deleted) as opposed to protected health information (“PHI”) is disclosed to the plan sponsor and the plan sponsor only uses the summary health information to obtain premium bids or amend/terminate the plan, then the responsibility to comply with the HIPAA privacy rules generally shifts from the plan to the insurer. If the employer receives reports with PHI and/or assists participants in working with the insurer to approve claims, the exception may not apply.

Second, if the employer’s health plan is self-funded and is also self-administered by the employer (that is, the employer does not hire a third party administrator to process claims) and fewer than 50 employees are eligible for the plan, then the HIPAA privacy rules do not apply.

It is our experience that after applying these exceptions, many employers find that the only remaining health plans which they maintain, that are subject to the HIPAA privacy rules are medical flexible spending accounts (“FSAs”), self-funded medical reimbursement plans and/or health reimbursement arrangements (“HRAs”). For these employers, Miller Johnson has created a special abbreviated version of its normal employer health plan compliance kit which only deals with health plans that are medical FSAs, self-funded medical reimbursement plans or HRAs.

Medical FSA / HRA Compliance Kit
Miller Johnson has created a special abbreviated version of its regular employer health plan compliance kit for employers. The abbreviated kit is for employers who only must address HIPAA with respect to their medical FSAs, self-funded medical reimbursement plans and/or HRAs. This abbreviated kit is known as the medical FSA/HRA kit. (The reference to HRAs includes self-funded medical reimbursement plans.) The kit includes a had copy and electronic version of the following:

  • Compliance instructions.
  • Updated HIPAA policies and procedures incorporating the final regulations, including the new breach notification procedures.
  • Sample notice to individuals in the event of a breach of unsecured protected health information (“PHI”).
  • Revised participant notice of privacy practices.
  • New business associate agreement. Included with the business associate agreement is a cover letter to the business associate describing the changes which have been made in order to comply with the final regulations and providing the rationale why your version of the business associate agreement should be used rather than any version supplied by the business associate.
  • Sample Power Point training document to provide training to employees in the group with access to PHI regarding the HIPAA privacy and security rules, HITECH and the final regulations.
  • Annual checklist to facilitate ongoing compliance.

Miller Johnson is offering employers a new medical FSA / HRA compliance kit to address the final regulations and all of the employer’s HIPAA / HITECH compliance requirements. If you are an employer that previously purchased a compliance kit from Miller Johnson, the cost of the new kit is $250. It is intended to replace any prior kit you purchased from Miller Johnson. If you are an employer that has not previously ordered a compliance kit from Miller Johnson, we are also making the kit available to you. Your cost of the kit is $350. However, please note that we are providing a $100 discount to employers (new and returning customers) who attend one of our HIPAA / HITECH workshops.

Intended Use
The kit is intended for use by employers in their capacity as health plan sponsors with respect to their medical FSAs, self-funded medical reimbursement plans and/or HRAs. It is for the purpose of addressing all of the documents needed in order to comply with the final regulations with respect to these plans. As a result, it should update and replace prior HIPAA and HITECH compliance efforts.

How to Order a Kit
If you are interested in ordering a HIPAA / HITECH compliance kit, please download the order form here and submit it to Mary Kral (email: kralm@millerjohnson.com or fax: 616.831.1701).

If you have any other questions about HITECH or HIPAA, please contact any member of the Employee Benefits Practice Group.