As employers prepare to offer health flexible spending accounts (FSAs), a common question arises: Are health FSAs administered by third-party administrators (TPAs) subject to HIPAA’s privacy and security rules? The short answer is yes—and here’s why that matters.
Understanding HIPAA’s Scope for Health FSAs
Under HIPAA, a health FSA is considered a group health plan, which makes it a covered entity subject to HIPAA’s privacy and security rules. The only exception is for self-administered FSAs with fewer than 50 participants—a rare scenario for most employers.
If your company uses a TPA to manage FSA claims, this exception does not apply. That means your health FSA must comply with HIPAA’s full privacy and security requirements.
Why Fully Insured Plans Are Different
Employers with fully insured major medical plans often take a “hands-off” approach to protected health information (PHI), receiving only summary or enrollment data. This limits their HIPAA obligations because the insurer, not the employer, handles PHI.
However, most health FSAs are self-insured, and the “hands-off” exception doesn’t apply. Even if a TPA handles the day-to-day administration, your company is still responsible for HIPAA compliance.
What Employers Must Do
To comply with HIPAA when offering a TPA-administered health FSA, employers should:
- Enter into a Business Associate Agreement (BAA) with the TPA, outlining how PHI will be handled.
- Implement privacy and security policies for the health FSA.
- Limit internal access to PHI to only those who need it for plan administration.
- Train staff who may come into contact with PHI.
- Ensure electronic PHI (ePHI) is protected under HIPAA’s security rule.
Minimizing Risk and Burden
While you can’t avoid HIPAA obligations entirely, you can minimize your exposure by delegating as much as possible to the TPA. This reduces the amount of PHI your company accesses and simplifies compliance.
If your company is offering a health FSA administered by a TPA, you are subject to HIPAA’s privacy and security rules. Taking proactive steps to comply—especially by working closely with your TPA—will help protect employee data and reduce legal risk.
Source: Thomson Reuters