Does HIPAA Apply to Employee FSA Payments? Compliance Requirements Explained

HIPAA Applicability to Health FSAs

Yes—HIPAA generally applies to employee health FSA payments. A health FSA is a group health plan that pays for medical care and routinely creates, receives, or maintains Protected Health Information (PHI) when reimbursing claims. That makes the plan a “covered entity” subject to the HIPAA Privacy and Security Rules.

HIPAA governs how you use, disclose, and safeguard PHI connected to FSA claims (for example, receipts, EOBs, diagnosis codes, and provider information). It does not apply to non-health accounts such as dependent care FSAs or commuter benefits because those do not involve medical care.

What counts as PHI in an FSA?

• Claim forms and supporting documentation (prescriptions, provider bills, itemized receipts).
• Eligibility and enrollment data tied to an individual’s health coverage.
• Payment records that reveal health care services or supplies purchased.

“Excepted” status does not remove HIPAA privacy duties

Many health FSAs qualify as “excepted benefits” under the Excepted Benefit Rules. That status exempts them from certain insurance market reforms but does not exempt them from HIPAA’s Privacy and Security Rules. You must still protect PHI and limit its use and disclosure.

Exemptions for Small Plans

A narrow exception exists for small, self-administered group health plans. If your health FSA has fewer than 50 participants and you administer it entirely in-house (no Third-Party Administrator), the plan is generally not a HIPAA-covered “health plan.” In that case, HIPAA’s Privacy and Security Rules would not apply to the FSA.

However, the exemption disappears if either condition changes. If you hire a Third-Party Administrator or the plan reaches 50 or more participants, the FSA becomes subject to HIPAA. Note that “small health plan” measured by annual receipts is a different concept and does not create a privacy/security exemption.

Compliance Requirements for Self-Insured FSAs

Most health FSAs are self-insured. For Self-Insured Health FSAs, you, as plan sponsor, must implement a full HIPAA compliance program focused on PHI.

Privacy Rule essentials

• Adopt written policies and procedures, designate a privacy official, and train workforce members who handle FSA PHI.
• Distribute a Notice of Privacy Practices that explains allowable uses/disclosures (treatment, payment, and health care operations) and individuals’ rights.
• Follow the minimum necessary standard; use and share only the PHI needed for the task.
• Amend plan documents and build a firewall so only employees performing plan administration functions can access PHI—separate from general HR/management uses.
• Secure valid authorizations for any non-routine disclosures not otherwise permitted by HIPAA.

Security Rule for ePHI

• Conduct a risk analysis and implement administrative, physical, and technical safeguards for electronic PHI (ePHI).
• Control access (role-based permissions, strong authentication), encrypt data at rest and in transit where feasible, and maintain audit logs.
• Manage vendors with access to ePHI through a Business Associate Agreement and ongoing oversight.

Breach Notification and documentation

• Maintain an incident response process to assess potential breaches and provide timely notifications to affected individuals and regulators when required.
• Retain HIPAA-related documentation (policies, risk assessments, training, BAAs) for at least six years.

Compliance Requirements for Fully Insured FSAs

Fully insured health FSAs are less common, but the HIPAA framework is different when an insurer pays claims. If the plan sponsor receives only enrollment/disenrollment data and de-identified or summary health information, the sponsor’s direct HIPAA duties are limited. The insurer issues the Notice of Privacy Practices and handles member rights requests.

If the sponsor requests or receives PHI beyond those narrow categories (for example, to assist with claims or appeals), you must amend plan documents, certify restrictions to the insurer, and implement Privacy and Security Rule controls similar to a self-insured plan.

Role of Third-Party Administrators

A Third-Party Administrator (TPA) typically processes claims, stores records, and communicates determinations—activities that involve PHI. Under HIPAA, the TPA is a Business Associate of the FSA, and you must execute a Business Associate Agreement defining permitted uses/disclosures, safeguards, subcontractor flow-downs, and breach reporting duties.

Practical oversight steps

• Map PHI data flows and limit what the TPA sends back to the employer to the minimum necessary.
• Review the TPA’s security controls, SOC reports, and incident history; require prompt breach notification and cooperation.
• Take reasonable steps to address known BA noncompliance, including contract termination if violations are not cured.

Impact of Affordable Care Act on FSAs

The Affordable Care Act (ACA) did not eliminate HIPAA obligations for FSAs. Health FSAs that satisfy the Excepted Benefit Rules—being offered alongside major medical coverage and meeting the maximum benefit test—are exempt from certain ACA market reforms, but you still must comply with HIPAA Privacy and Security Rules.

The ACA also introduced an indexed annual salary-reduction cap and made other plan design changes over time (such as rules for certain over-the-counter items). These design features do not change your duty to safeguard PHI associated with FSA claims and payments.

Penalties for Non-Compliance

HIPAA compliance enforcement is led by the HHS Office for Civil Rights. Civil penalties scale by level of culpability and are subject to annual caps indexed for inflation; willful neglect can trigger the highest tiers and corrective action plans. Egregious misuse of PHI can also carry criminal exposure.

Beyond fines, enforcement may require comprehensive remediation, independent monitoring, and reporting. Breach response costs, participant notifications, and reputational damage can exceed regulatory penalties. Strong governance, accurate BAAs, workforce training, and periodic risk analyses are your best risk controls.

In short, if your health FSA handles PHI—or a TPA handles it for you—HIPAA applies. Build disciplined privacy and security practices into everyday claim processing and employer-plan interactions to keep FSA payments compliant.

FAQs.

What types of FSAs are subject to HIPAA?

Health FSAs— including general-purpose and limited-purpose (dental/vision) FSAs—are HIPAA-covered health plans because they process PHI to reimburse medical care. Dependent care FSAs and other non-health accounts are not subject to HIPAA.

When are employers exempt from HIPAA compliance for FSAs?

If your health FSA has fewer than 50 participants and is entirely self-administered (no Third-Party Administrator), the plan generally is not a HIPAA-covered health plan. Using a TPA or reaching 50 or more participants brings the FSA under HIPAA.

What are the employer obligations under HIPAA for self-insured FSAs?

Adopt Privacy and Security Rule policies, train staff, issue a Notice of Privacy Practices, limit PHI access to plan administration functions, implement ePHI safeguards, manage vendors through a Business Associate Agreement, and maintain breach response and documentation.

How do third-party administrators affect HIPAA compliance for FSAs?

TPAs act as Business Associates, which requires a Business Associate Agreement and reasonable oversight. They do not remove your obligations; they extend your compliance program to vendor operations, data sharing controls, and breach reporting across the full claims lifecycle.