Employer Guide: When HIPAA Covers FSA Claims and Payment Information

HIPAA Applicability to Health FSAs

Health flexible spending arrangements (health FSAs) are generally covered by HIPAA because they are group health plans that reimburse medical care. That means payment information and claim documentation handled by the plan or its vendors are Protected Health Information (PHI).

HIPAA does not apply to non-medical FSAs, such as dependent care, parking, or transit accounts. It also does not apply to employment records your company maintains in its capacity as an employer. The line to watch is whether the information is held by or on behalf of the group health plan for plan purposes.

Limited exception for very small, self-administered plans

A group health plan with fewer than 50 participants that is self-administered by the employer may not be a HIPAA covered entity. Most health FSAs, however, use a third-party administrator (TPA), which brings the plan squarely under HIPAA. When in doubt, treat the FSA as subject to HIPAA’s Privacy Rule Compliance and Security Rule Requirements.

Common examples

• Health FSA claim receipts, EOBs, and card auto-substantiation data: PHI when held by the plan or TPA.
• Payroll deduction amounts and election forms: typically not PHI when kept strictly as employment records.
• Dependent care FSA claims: not HIPAA-covered because they do not involve medical care.

Employer's Role in Health FSA Administration

In your role as plan sponsor (and often plan administrator), you establish the health FSA, adopt plan documents, and ensure operational compliance. For HIPAA, you must add required plan amendments and certify that the plan sponsor will use and disclose PHI only for plan administration.

Build a “firewall” between HR/benefits staff who handle plan administration and supervisors or payroll personnel who do not need PHI. Limit who can access PHI, train them, and document that access is for plan purposes only—not for employment actions.

Core responsibilities

• Adopt HIPAA policies and procedures for the group health plan, including a Notice of Privacy Practices when required.
• Designate a privacy official and a security official; maintain a complaint, mitigation, and sanctions process.
• Execute business associate agreements (BAAs) with vendors that create, receive, maintain, or transmit PHI.

Use of PHI in Health FSA Claims

PHI includes any individually identifiable health information the plan holds, including payment and claims data. You may use and disclose PHI for plan “payment” and “health care operations,” such as adjudicating claims, resolving appeals, and auditing the plan. Apply the “minimum necessary” standard to each use.

Avoid receiving claim images or receipts in general HR inboxes. Route employees to the TPA’s portal or app. If escalation is needed, request only the minimum data to resolve the issue and avoid diagnosis codes when not necessary for substantiation.

Practical guardrails

• Use de-identified or aggregated reports for budgeting and trend analysis.
• Do not share PHI with managers or use it for employment decisions.
• Confirm that card auto-substantiation files are handled as ePHI with proper controls.

Employer Obligations Regarding PHI

Your Self-Insured Plan Obligations include both Privacy Rule Compliance and Security Rule Requirements. Even when a TPA processes claims, the plan remains responsible for safeguarding PHI and ensuring appropriate vendor contracts and oversight are in place.

Privacy Rule Compliance

• Maintain a Notice of Privacy Practices and provide it to participants as required.
• Train workforce members with plan access; document attendance and content.
• Implement “minimum necessary” procedures, and restrict PHI to plan administration uses.
• Have incident response and breach notification procedures; log and investigate all privacy events.

Security Rule Requirements (for electronic PHI)

• Conduct and document a risk analysis; implement a risk management plan with periodic reviews.
• Establish PHI Access Controls: role-based access, unique user IDs, strong authentication, and timely access termination.
• Enable audit controls and activity logs; review for anomalous access.
• Encrypt ePHI in transit and at rest, manage endpoints, and enforce secure configuration and patching.
• Define data retention and secure disposal for claim files and Health FSA Documentation.

Reporting Health FSA Contributions on Form W-2

Employee salary reduction contributions to a health FSA are pre-tax and generally are not separately reported on Form W-2. They reduce Box 1 taxable wages automatically. Do not use Box 10 (that box is for dependent care benefits), and do not use Code W (that code is for HSAs).

Under ACA aggregate cost reporting (Box 12, Code DD), amounts for a health FSA are not reportable if funded solely by employee salary reduction. If the employer contributes (for example, via flex credits), include the health FSA amount in Code DD when the total annual FSA available to the employee exceeds the employee’s salary reduction election. Follow the current IRS Form W-2 instructions for the precise calculation.

Illustrative scenarios

• Employee elects $2,000; employer contributes $0 → No separate W-2 reporting for the health FSA.
• Employee elects $2,000; employer contributes $500 → The health FSA may be reportable in Box 12, Code DD per the special health FSA rule.

Documentation Requirements for Health FSA Claims

To substantiate claims, require documentation that proves the expense qualifies under Code §213(d) and matches the plan year. Ensure the plan collects only what it needs and protects it as PHI.

Acceptable proof

• Explanation of Benefits (EOB) from an insurer or the TPA.
• Itemized receipt or provider statement showing: patient name, provider/merchant, date of service, description of service or product, and amount owed/paid.
• For eligible over-the-counter items, a detailed merchant receipt listing the specific product.

Not sufficient

• Credit card slips or bank statements without item details.
• “Balance forward” invoices or estimates/quotes for future services.

Operational tips

• Use TPA portals for uploads; avoid emailing PHI.
• Apply consistent review criteria; document approvals and denials for audit.
• Retain claim records per your ERISA/tax schedule and HIPAA retention and disposal procedures.

Third-Party Administrators and HIPAA Compliance

Most health FSAs engage TPAs, card processors, and data warehouses that are business associates under HIPAA. You must have BAAs that define permitted uses, PHI safeguards, breach reporting, subcontractor flow-downs, and termination/return or destruction of PHI.

Perform due diligence: review security controls, PHI Access Controls, encryption practices, incident response, and independent audit reports. Clarify which party handles participant requests, notices, and breach notifications to prevent gaps.

Best-practice vendor governance

• Map PHI data flows and minimize PHI sent to the employer; prefer aggregated, de-identified reports.
• Set service-levels for claim turnaround, privacy complaints, and breach alerts.
• Test secure file transfers and access provisioning at implementation and periodically thereafter.

Conclusion

Treat the health FSA as a HIPAA-covered group health plan unless a narrow exception clearly applies. Limit PHI to plan administration, implement strong privacy and security controls, leverage your TPA for substantiation and storage, and follow current W-2 reporting rules when employer contributions are involved. This approach protects participants, reduces risk, and keeps your plan compliant.

FAQs.

Does HIPAA apply to all types of FSAs?

No. HIPAA generally covers health FSAs because they reimburse medical care and operate as group health plans. It does not cover dependent care, parking, or transit FSAs. A small, self-administered group health plan with fewer than 50 participants may fall outside HIPAA’s covered entity definition, but most health FSAs use a TPA and are subject to HIPAA.

How must employers protect PHI in health FSA claims?

Adopt plan-level HIPAA policies, issue a Notice of Privacy Practices when required, and restrict access to a trained benefits team. Implement Security Rule Requirements for ePHI—risk analysis, role-based PHI Access Controls, encryption, audit logging, and secure retention/disposal. Use BAAs with all vendors and apply the minimum necessary standard.

What are employer reporting requirements for health FSA contributions?

Employee salary reductions for a health FSA are not separately reported on Form W-2 and reduce Box 1 wages automatically. Do not use Box 10 (that’s for dependent care) or Code W (that’s for HSAs). Under Box 12, Code DD, a health FSA funded solely by salary reduction is excluded; employer contributions may trigger reporting under the special health FSA rule.

How do third-party administrators affect HIPAA compliance for FSAs?

TPAs are business associates that must safeguard PHI and follow HIPAA under a BAA. They usually handle claim intake, storage, and substantiation, which reduces employer PHI exposure. However, the plan sponsor remains responsible for vendor selection, oversight, and ensuring compliant data flows and breach response.