QUESTION: Our company has 60 employees, all of whom are eligible for our fully insured medical plan and our health FSA. This year, 40 employees have enrolled in our medical plan and health FSA. Does our health FSA, which we administer in-house, qualify for the exclusion from the HIPAA privacy and security rules for self-administered health plans with fewer than 50 participants?
ANSWER: A health plan with fewer than 50 participants that is administered by the sponsoring employer is excluded from the definition of a “group health plan” under HIPAA’s administrative simplification provisions, which include the privacy and security requirements. (Note that the “group health plan” definition for other purposes, such as ERISA and COBRA, does not contain such an exclusion.)
For purposes of the HIPAA exclusion, “participant” is defined by reference to ERISA § 3(7), which provides that the term means ”any employee or former employee of an employer…who is or may become eligible to receive a benefit of any type from an employee benefit plan which covers employees of such employer…or whose beneficiaries may be eligible to receive any such benefit.” This definition has been interpreted to include employees who are eligible for a plan but are not enrolled. Applying this interpretation to the HIPAA exclusion, all eligible employees should be counted when determining whether a plan has fewer than 50 participants for purposes of the HIPAA exclusion. Based on your description, your plan does not qualify.
Note that the exclusion is limited to plans that are fully administered by the sponsoring employer; it will not apply to insured plans or to self-insured health plans (including health FSAs) that are administered by an entity other than the sponsoring employer, such as a third-party administrator (TPA). If your company’s plan outsources any administrative function (including, for example, COBRA compliance), the exclusion will not apply (regardless of the number of participants).
Also, plans that qualify for the exclusion are not necessarily excused from compliance with HIPAA’s portability requirements (i.e., HIPAA’s rules regarding special enrollment rights and health-status nondiscrimination). The portability rules have different provisions regarding the plans that must comply and those that are excepted from compliance.
For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections VI (“What Plans Are Subject to HIPAA’s Portability Requirements?”) and XXII.C (“What Are ‘Health Plans’ and ‘Group Health Plans?’”). You may also be interested in our upcoming webinar, “HIPAA in the Pandemic: Implications for Health Plans” (live on April 1, 2021).
Contributing Editors: EBIA Staff.bricks