HIPAA and Employee FSA Payments: What Applies, What Doesn’t, and Why

HIPAA Applicability to Health FSAs

A health flexible spending arrangement (health FSA) is a group health plan that reimburses medical care. As a result, the plan itself is a HIPAA covered entity, distinct from the employer, and subject to the HIPAA Privacy Rule and HIPAA Security Rule when it maintains or transmits protected health information (PHI).

What it means in practice

• The plan can use and disclose PHI for treatment, payment, and health care operations, and for limited other purposes permitted by the HIPAA Privacy Rule.
• The employer, as plan sponsor, may access only the minimum necessary PHI for plan administration if the plan documents are amended and the sponsor provides required certifications.
• Workforce “firewalls” are essential so supervisors and hiring managers do not receive PHI that could affect employment decisions.

The Security Rule for ePHI

• If the plan stores or transmits electronic PHI (ePHI)—for example, claim files, debit-card logs, or secure data feeds—you must implement administrative, physical, and technical safeguards, conduct a risk analysis, and maintain ongoing security risk management.
• Where vendors handle ePHI, the plan must have a Business Associate Agreement (BAA) and monitor the vendor’s security practices.

PHI in an FSA context

• PHI includes claim forms, receipts, debit-card transaction data, explanations of benefits, and substantiation details that identify an individual and relate to past, present, or future health care.
• Aggregate or de-identified reports may be shared more broadly, but re-identification risks must be managed.

Exemptions for Small Health FSAs

A narrow exception exists for a group health plan that is both self-administered and has fewer than 50 participants. In that case, the plan is generally excluded from the HIPAA definition of “health plan,” and the HIPAA Privacy Rule and Security Rule do not apply to it as covered entity requirements.

Qualifying—and losing—the exception

• Self-administered means the employer runs all plan functions without a third-party administrator (TPA) or carrier performing plan administration.
• “Participants” are employees eligible to receive benefits; dependents are not counted. Crossing the 50-participant threshold, or engaging a TPA, typically ends the exception.

Practical safeguards even if exempt

• Even where exempt, you still handle sensitive health information. Use confidentiality policies, access controls, and secure storage as best practice and to support ERISA fiduciary duties.
• Reassess headcount and administration annually; document your determination to support audits and Affordable Care Act Compliance tracking.

Excepted Benefits Status

Most compliant health FSAs are “excepted benefits.” That status affects ACA market reforms but does not remove HIPAA obligations unless the small self-administered exception applies. To be an excepted benefit, a health FSA must satisfy both the availability and maximum benefit rules.

Two required tests

• Availability: The health FSA is offered only to employees who are eligible for the employer’s major medical group health plan.
• Maximum benefit: The maximum FSA benefit for the year does not exceed the greater of (a) two times the employee’s salary reduction, or (b) the employee’s salary reduction plus $500. Employer flex credits count under these rules; permitted carryovers generally do not.

Why excepted status matters

• Excepted benefits are not subject to ACA preventive-services mandates and annual-limit prohibitions, enabling the FSA’s inherent dollar cap.
• Excepted status does not, by itself, eliminate HIPAA Privacy Rule or Security Rule duties; those hinge on whether the plan is a HIPAA-covered health plan.

Impact of Third-Party Administrators

When a TPA administers your FSA, it is a business associate to the plan. You must execute a Business Associate Agreement that defines permitted uses and disclosures of PHI, requires safeguard implementation under the HIPAA Security Rule, and assigns breach-notification duties.

BAA essentials and oversight

• Specify minimum necessary data flows, encryption in transit and at rest, subcontractor “flow-down” obligations, prompt incident reporting, and return or destruction of PHI at termination.
• Perform vendor due diligence, review SOC reports when available, and map data exchanges to ensure Affordable Care Act Compliance reporting and payroll integrations do not overexpose PHI.

Limiting employer access

• Receive summary or de-identified utilization reports where possible; restrict named-claim details to staff performing plan administration.
• Adopt procedures for employee inquiries so HR assists without accessing more PHI than is necessary.

Reimbursement Restrictions

Health FSA payments must meet tax and plan rules. Reimburse only Code §213(d) medical care expenses incurred during the coverage period, and substantiate each claim with independent evidence showing the patient, date of service, provider, and eligible service.

Key payment rules

• No prepayment: Reimburse after services are incurred, not when billed or paid.
• Uniform coverage: The full annual election (less prior reimbursements) is available from day one of the plan year.
• No double-dipping: Do not reimburse amounts paid or reimbursed by another plan.
• OTC and menstrual care: Over-the-counter drugs and menstrual care products are eligible; prescriptions are not required for those OTC items.

Premiums and excluded items

• General rule: A health FSA cannot reimburse insurance premiums of any kind (individual policies, Marketplace, Medicare, employer plan premiums, COBRA, or long-term care).
• Distinguish from premium-only plans (POPs): A POP allows pre-tax premium contributions through the cafeteria plan, but that is not an FSA reimbursement.

ACA Market Reform Provisions

ACA market reforms (such as preventive-services coverage without cost-sharing and the prohibition on annual dollar limits) do not apply to an excepted benefit health FSA. If a health FSA fails the excepted-benefit tests, it becomes a non-excepted, stand-alone plan and will generally violate ACA market reforms.

Integration and design checkpoints

• Offer the health FSA only to employees eligible for the employer’s major medical group health plan, and confirm the maximum benefit test annually.
• Avoid stand-alone FSAs; ensure the FSA is integrated with your group health plan to preserve excepted-benefit status and Affordable Care Act Compliance.

Employer Responsibilities

As plan sponsor and administrator, you must blend HIPAA, tax, and ACA obligations into daily operations. Clear documentation and disciplined access to PHI are essential to compliance and participant trust.

Operational checklist

• Plan documents: Maintain a written plan document and summary plan description reflecting FSA terms, substantiation rules, carryover or grace period features, and HIPAA provisions.
• HIPAA program: Adopt Privacy Rule policies, designate a privacy official, train staff, issue a Notice of Privacy Practices, and implement Security Rule safeguards for ePHI.
• Business associates: Execute and monitor BAAs with TPAs and any vendors that create, receive, maintain, or transmit PHI.
• Access controls: Limit PHI access to staff who perform plan administration; segregate employment and benefits functions.
• Breach readiness: Maintain incident response, risk assessment, and participant notification procedures.
• Status checks: Annually verify small-plan exemption (if claimed), excepted-benefit tests, participant counts, and Affordable Care Act Compliance alignment.

Conclusion

In short, most health FSAs are HIPAA-covered group health plans, unless they are truly small and self-administered. Excepted-benefit status shields the FSA from ACA market reforms but not from core HIPAA duties. Tight vendor management, disciplined PHI access, and rigorous substantiation keep your health FSA compliant and your employees’ information protected.

FAQs.

Does HIPAA apply to all employee FSAs?

Generally yes. A health FSA is a group health plan and a HIPAA covered entity subject to the HIPAA Privacy Rule and HIPAA Security Rule. The main exception is a self-administered plan with fewer than 50 participants, which falls outside the HIPAA “health plan” definition.

What exemptions exist for small health FSAs under HIPAA?

If the plan is self-administered and has fewer than 50 participants, it is typically excluded from the HIPAA definition of a health plan. Using a TPA or reaching 50 participants usually ends that exemption, triggering full HIPAA compliance.

How do third-party administrators affect HIPAA compliance for FSAs?

Engaging a TPA makes the TPA a business associate. You must have a Business Associate Agreement, ensure safeguards for PHI and ePHI, and limit employer access to the minimum necessary PHI for plan administration.

Can health FSAs reimburse insurance premiums?

No. Health FSAs cannot reimburse insurance premiums, including COBRA, Marketplace, Medicare, employer plan premiums, or long-term care insurance. If employees want pre-tax premium contributions, that is handled through a premium-only plan, not through FSA reimbursements.