Since December 2003 when President Bush signed the Medicare Prescription Drug, Improvement and Modernization Act of 2003, many articles in the popular and legal press have reviewed the benefits and features of Health Savings Accounts ("HSAs"). Structured similarly to Archer Medical Savings Accounts, HSAs offer an impressive list of attractive features, including no use-it-or-lose-it, the ability to use the funds for non-medical purposes, self-substantiation of expenses, and the list goes on. (The features of HSAs are discussed in more detail in our prior Legal Alert of February 2004 at www.kilpatrickstockton.com/publications/legal_alerts.aspx .) The focus of this legal alert will be on an issue that has received little discussion—the impact of the HIPAA privacy rules on the operation and design of HSAs.

The Two Components of an HSA Design

Individuals enrolled in high-deductible health plans ("HDHPs") may establish HSAs to receive tax-favored contributions. Thus, an HSA design will have two components—the first component will be the HDHP and the second component will be the HSA. The HDHP may be sponsored by an employer, or it may be offered by an insurer. Either way the HDHP will be subject to the HIPAA privacy rules. However, the analysis of whether an HSA is also covered by the HIPAA privacy rules should not turn on the status of the HDHP under HIPAA. While every person who has an HSA will also have an HDHP, there is no requirement under the Code or ERISA that these two components be linked in any manner. In fact, the entities that provide the HDHP (e.g., employers and insurers) will in most situations not be the entities that will be providing an HSA (e.g., banks and trust companies). From this perspective, therefore, the HIPAA privacy status of HDHPs should not taint or affect the HIPAA privacy status of HSAs.

Is an HSA a "Health Plan" under the HIPAA Privacy Rules?

If an HSA satisfies the definition of a "health plan" under the HIPAA privacy rules, then the HSA is considered a "covered entity" and would need to comply with the applicable HIPAA privacy rules.

Definition of a "Health Plan." The definition of a "health plan" includes seventeen different arrangements and types of coverages. Of these seventeen arrangements and coverages, only two appear to be applicable to HSAs: (1) ERISA group health plans, and (2) any individual or group plan that pays for the cost of medical care. Both of these arrangements are discussed below.

ERISA Group Health Plans. The key issue here is whether an HSA should be considered an employee welfare benefit plan under ERISA. We understand the Department of Labor ("DOL") has been asked for an advisory opinion on this issue and, reportedly, a response is near. However, even assuming that an HSA is an ERISA welfare plan, if the HSA arrangement includes less than 50 participants and is self-administered by the employer, then the HSA would be excepted from the definition of a group health plan under the HIPAA privacy rules.

While many HSAs may have less than 50 participants in the aggregate, those that have 50 or more could make the argument that each employee’s HSA constitutes a separate "plan." Under this position, it would not matter how many employees had an HSA option through the employer because each one would be a separate individual plan. However, assuming you satisfy the less than 50 requirement, the "plan" must also be self-administered to satisfy the exception. In this regard, another gray area exists regarding whether HSAs can be considered self-administered by the employer. On the one hand, the Department of Health and Human Services ("HHS") could argue that HSAs are not self-administered, because the HSA bank or trust company is partly administering the HSA. On the other hand, an employer could argue that the administration of the HSA (for purposes of the employer) ceases when contributions and salary deferrals are sent to the HSA trustee for deposit in the employee’s account. Any administration of the HSA account after that event, is the employee’s responsibility (and not the employer’s). Further, the fact that the employee is responsible need not be a problem in the HIPAA analysis, because employees always have some responsibilities with respect to the operation of a health plan. Indeed, the argument would be that, if this were a problem, there would be no self-administered health plans. If this argument is successful, the self-administered exception could apply.

However, if the HSA cannot be considered self-administered or has 50 or more participants, the exception would not apply and the issue would then turn on whether the HSA is a welfare benefit plan under ERISA. In general, under ERISA, each of the following three requirements must be satisfied to have an ERISA welfare benefit plan:

  1. There must be a plan, fund or program;
  2. The plan must be established or maintained by the employer; and
  3. The purpose of the plan must be to provide ERISA-covered benefits (e.g., medical benefits) to participants and beneficiaries.

An HSA most likely satisfies the first requirement because it is a plan or a program, so the real focus is on the other two requirements. Of the remaining two requirements, the one that has a more familiar line of analysis is whether the plan is established or maintained by the employer. In general, the establishment and maintenance of a plan by an employer is a facts and circumstances analysis that DOL has explicated previously, e.g., in connection with IRAs. Under this traditional DOL analysis, if the employer takes a limited role with regard to HSA administration and design, the HSA should not be established or maintained by the employer and should not be an ERISA plan.

Thus, if the employer merely provides the HDHP (either directly or through an insurer) and then requires employees to establish their own HSA accounts, the HSA need not be an ERISA plan. However, if the employer envelops itself in the administration of the HSA—for example, selects a single, specific HSA trustee, assists employees in establishing HSA accounts and identifies the employer with the HSA structure offered—then under prior DOL guidance applicable to IRAs, the HSA should be considered established or maintained by the employer. In addition, if the employer makes its own contributions to the HSA, the HSA would be considered established or maintained by the employer. However, allowing only employee salary reduction should not be fatal, but it could make it more difficult to avoid an excessive role with respect to the HSA than would be the case if all funding occurred through only tax-deductible employee contributions.

The remaining requirement of whether the plan provides ERISA-covered medical benefits involves a less familiar line of analysis and may have contributed to DOL’s taking some time to respond to the pending advisory opinion request. For example, an employer could argue that there is no requirement that an HSA provide medical benefits because it is a dual-purpose account. The HSA may reimburse medical costs and it may also reimburse any other non-medical costs as well. At the same time, HSA accounts are focused preferentially on medical care reimbursements, because these reimbursements are tax-free, while distributions for non-medical care expenses are subject to income taxation and in most circumstances a 10% penalty tax. However, is that enough? In any event, this is a substantial issue that may be answered soon by DOL, but otherwise employers will have to decide for themselves when determining whether to offer HSAs to their employees.

Individual or Group Plans that Pay for Medical Care. Under the HIPAA privacy rules, any individual or group plan that provides or pays for the cost of medical care is deemed to be a "health plan." This is sometimes referred to as the catch-all provision. Assuming the HSA is not considered an ERISA plan, it is possible that the HSA could still be a "health plan" under the catch-all provision. The reason for this is that the catch-all provision does not require the HSA to be established or maintained by the employer. It looks solely to whether the HSA provides or pays for medical care. In essence this gets back to the same question noted above with respect to whether the HSA is sufficiently focused on medical benefits to make it subject to ERISA. However, because this question will be answered by HHS, it is possible that DOL and HHS could answer it differently (e.g., if DOL decided an HSA’s dual purpose character prevented it from being an ERISA welfare plan providing health benefits, it is still conceivable that HHS could decide that an HSA is a health plan under the HIPAA privacy rules because it comes within the catch-all provision.)

If an HSA is a "health plan" under the catch-all provision, the HSA would be a "covered entity." However, who is responsible for its compliance? ERISA welfare plans have a plan administrator (who is typically the employer or a committee composed of the employer’s employees) that act on behalf of the ERISA welfare plan. In that situation, the plan administrator would be responsible for HIPAA privacy compliance. If the HSA is not an ERISA welfare plan, however, there is no one directly responsible to act on the HSA’s behalf. Thus, in this situation an employer could argue that it is not responsible for the HSA’s compliance with the HIPAA privacy rules, because it has no authority or liability with respect to the "health plan." On the other hand, HHS could argue that the employer is still responsible for the HIPAA privacy compliance of the HSA because the employer has the closest nexus to the HSA.

What Happens if the HSA is a HIPAA Health Plan?

Because it is conceivable that an HSA may be considered a health plan under the HIPAA privacy rules, we address the application of both the HIPAA privacy rules and the HIPAA electronic data interchange ("EDI") rules below.

HIPAA Privacy Rules. If an HSA is considered a HIPAA-covered health plan sponsored by the employer and no exemption applies, the employer would be responsible for complying with the HIPAA privacy rules because the HSA is considered to be self-insured. This would include, among other things, adopting policies and procedures, amending the HSA plan documents to include the required HIPAA language, distributing a privacy notice to covered employees and appointing a privacy official. Another requirement is to execute a business associate agreement with any applicable service providers. An HSA service provider will be a business associate, if the service provider (1) receives individually identifiable health information from or on behalf of the HSA, or (2) otherwise provides legal, accounting, actuarial, consulting, management, administrative or financial services to or for the HSA.

For HSAs, the most important service provider will be the bank or trustee that holds the HSA accounts. In analyzing whether the bank or trustee is a business associate, you must examine the information received by the bank or trustee from both the employer and the employees. The information received from employers will consist of participant names and contribution amounts. This type of information could fit under the exception for enrollment information maintained by the employer, which may be shared with the bank or trustee without first obtaining a business associate agreement (i.e., enrollment information maintained by the employer is not covered by the HIPAA privacy rules).

On the employee side, an employer could argue that because the employee self-substantiates his/her own expenses, the HSA bank or trustee will not need any health information to authorize a distribution. The employee would simply request a distribution of a certain dollar amount, and the bank or trustee would send the funds. However, the issue here is that the definition of individually-identifiable health information includes information related to the payment of health care. Thus, even though the bank or trustee may not receive actual health information (e.g., the bank would not receive copies of EOBs like a health flexible spending account administrator would), the bank does receive requests related to the payment of health care.

On this issue, HHS has made the following statements in the preamble to the HIPAA privacy rules:

"We do not consider a financial institution to be acting on behalf of a covered entity, and therefore no business associate contract is required, when it processes consumer-conducted financial transactions by debit, credit or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilities or effects the transfer of funds for compensation for health care (emphasis added). A typical consumer-conducted payment transaction is when a consumer pays for health care or health insurance premiums using a check or credit card. In these cases the identity of the consumer is always included and some health information (e.g., diagnosis or procedure) may be implied through the name of the health care provider being paid." (See, 65 Fed. Reg. 82476 (December 28, 2000) and HHS FAQ, Page 43 (December 3, 2002)).

Based on the above language, despite the presence of potential PHI, the processing of consumer-conducted transactions or any other activity that facilitates the transfer of funds for compensation for health care do not rise to the level of a bank being treated as a business associate under the HIPAA Privacy Rules. Therefore, because employees would only need to tell their HSA bank or trustee of the distribution amount and where to send the funds, it is seems reasonable that an employer could argue that the HSA bank or trustee does not receive any individually-identifiable health information. If this argument is successful, the HSA bank or trustee would not satisfy the first business associate test.

Assuming that the HSA bank or trustee does not satisfy the first business associate test, does it satisfy the second test by providing "financial services" to the HSA? There appears to be no further definition of "financial services" in this context, but based on the above language in the preamble the bank’s or trustee’s role should be viewed as being no more than simply conducting a regular banking transaction.

HIPAA EDI Rules. If an HSA is considered a HIPAA-covered health plan, it appears that the normal transactions that would occur with an HSA would not be covered by the HIPAA EDI rules. For example, both employee contributions and employer contributions should not trigger the application of the "health plan premium payment" transaction, because employees and employers are not covered entities under the HIPAA EDI rules. Similarly, distributio ns from an HSA account should also not be covered by the HIPAA EDI rules because they are requested by the employee—a non-covered entity—meaning that the "health care claim " and "health care payment" transactions should not be triggered. Even HSAs that allow individuals access to their HSA balances through a debit or credit card arrangement would not be covered by the HIPAA EDI rules based on the ruling by HHS in September 2003 exempting these cards from the EDI rules.

Conclusion

Currently there are too many variables and unknowns to say definitively whether HSAs will, in fact, be covered or not covered by the HIPAA privacy rules. However, employers may be able to structure their HSA arrangements in a way that allows a reasonable, initial assessment that HIPAA should not apply. Still, this is one area to which employers should pay close attention as developments arise.

The information contained in this article is not intended as legal advice or as an opinion on specific facts. For more information about these issues, please contact the author(s) of this article or your existing firm contact. The invitation to contact the author is not to be construed as a solicitation for legal work in any jurisdiction in which the author is not admitted to practice. There will be no charge for the initial contact. Any attorney/client relationship must be confirmed in writing. You may also contact us through our Web site at www.kilpatrickstockton.com