The QSEHRA and HIPAA privacy requirements: What are the rules?

Small employers are increasingly seeking innovative ways to provide their employees with health benefits amid rising health insurance costs. The qualified small employer health reimbursement arrangement (QSEHRA) is a popular solution. These employer-funded plans allow companies to reimburse employees for qualified medical expenses. They provide valuable flexibility and budget control.

Becuase the QSEHRA is a formal health plan, it requires employers to follow specific rules and procedures. One of these is the responsibility of adhering to HIPAA’s privacy standards to protect sensitive health information.

In this article, we'll review the HIPAA Privacy Rule and how it applies to the QSEHRA. We’ll also cover what businesses need to know to comply with HIPAA privacy requirements.

In this blog post, you'll learn the following:

• How the QSEHRA compares to a traditional group health plan.
• What's considered protected health information under a QSEHRA.
• What small business owners must do to follow the HIPAA Privacy Rule.

What is the QSEHRA?

The QSEHRA is a health benefit that allows small business owners to reimburse their eligible employees tax-free for more than 200 types of out-of-pocket healthcare expenses.

Some QSEHRA-eligible expenses include:

• Individual health insurance premiums
• Over-the-counter medication
• Doctor visits
• Hospital visits
• Emergency services
• Dental visits
• Vision visits

Congress designed the benefit for businesses with fewer than 50 full-time equivalent employees (FTEs). QSEHRAs are cost-effective alternatives to traditional group health insurance plans. Plus, eligible employees can choose the health insurance coverage that works best for them instead of getting stuck with a one-size-fits-all employer-funded group health plan. This makes it a valuable tool for attracting and retaining talent while alleviating the financial strain of healthcare costs.

What is HIPPA?

The Health Insurance Portability and Accountability Act of 1996¹ (HIPAA) is a law that sets standards for protecting sensitive patient health information. Its primary purpose is to ensure that individuals' medical records and other personal health information are adequately safeguarded against unauthorized access and breaches.

Much of the legislation applies only to health plans covering more than 50 employees. But certain portions of HIPAA apply to all plans—including the QSEHRA. Regardless of the number of participants, all health plans must observe the HIPAA Privacy Rule².

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule is a set of national standards designed to safeguard individuals' protected health information (PHI).

The rule regulates how employee PHI is shared outside of the health plan. Businesses that provide employee health benefits must follow these rules.

PHI is defined as information, including demographic data, that relates to:

• The individual's past, present, or future physical or mental health condition
• The provision of healthcare to the individual
• Payment for healthcare services, whether past, present, or future, that can identify an individual or provide sufficient information to reasonably conclude their identity

What is considered PHI under a QSEHRA?

For the QSEHRA, PHI will most often occur in the form of documentation like receipts. A QSEHRA requires benefit administrators to verify that the participant incurred a qualified medical expense.

This can include:

• Documentation of doctor's visits
• Notes made by physicians and other provider staff
• Healthcare payment and remittance advice
• Coordination of healthcare benefits
• Healthcare claim status
• Health policy premium payments
• Referral certifications and authorization
• First report of injury
• Health claims attachments

PHI can exist in electronic, paper, or oral format.

What must small businesses do to comply with the HIPAA Privacy Rule while administering a QSEHRA?

To follow the HIPAA Privacy Rule, small employers offering a QSEHRA must protect employees' PHI. They can’t use this information for employment-related actions. Employers offering this benefit typically outline how they will protect PHI in the QSEHRA plan documents. Plan documents should note the safeguards the business will take for securing the PHI. This includes physical, electronic, and other forms of technical security.

Hiren Shah is the founder of Anstrex³. As a small business owner, he believes that following HIPAA rules is crucial for protecting employee privacy and building trust. He recommends using separate data storage for medical details.

"Instead of storing health-related information alongside general HR files, create a distinct storage system—either a secure digital repository or a dedicated physical space—for QSEHRA-related medical data," Shah said. "This segregation adds an extra layer of security."

Secure communication channels can also keep PHI safe.

"Avoid using standard email for any health information," Shah said.

He suggests using HIPAA-compliant communication tools, such as encrypted messaging platforms or secure employee portals, where only verified personnel can access the information.

Small businesses must also designate HIPAA privacy officers through their plan documents. HIPAA privacy officers are the individuals or groups who have access to QSEHRA participants' PHI and ensure its protected through adherence to HIPAA. Privacy officers may also designate other people who can view the PHI. These officials are almost always the same person or group as the plan administrator.

Finally, the business must establish a process for employees to file claims appeals and outline how the process will work.

What penalties could a business face for HIPAA Privacy Rule violations?

Civil penalties for violating HIPAA vary based on severity⁴:

• Tier 1: Minimum fine of $100 per violation up to $50,000
• Tier 2: Minimum fine of $1,000 per violation up to $50,000
• Tier 3: Minimum fine of $10,000 per violation up to $50,000
• Tier 4: Minimum fine of $50,000 per violation

Intentional violations can result in additional fines and jail time. Additionally, state laws could impose more penalties for the same offenses.

How do most small businesses handle HIPAA privacy regulations while administering a QSEHRA?

Following HIPAA privacy regulations when managing a QSEHRA takes considerable effort. Businesses must organize plan documents properly, and administrative procedures must guarantee that only designated privacy officers have access to employees' PHI. This can be challenging since the benefit depends on employees consistently submitting PHI.

Many small businesses use a QSEHRA administration tool, like PeopleKeep, to manage their health benefit. With PeopleKeep, our dedicated team handles the difficult tasks for you. We create legal plan documents with compliant HIPAA language and review reimbursements containing employees' PHI. That way, you never come into contact with PHI, so your business isn't burdened with it.

Conclusion

The QSEHRA is a cost-effective way for employers to offer health coverage to their eligible employees. However, understanding the regulations surrounding the qualified small employer health reimbursement arrangement (QSEHRA) and HIPAA is crucial for any employer considering this option.

Following compliance regulations helps protect your employees' information. It also prevents legal issues related to the misuse of health data. To make sure all legal requirements are met, most small employers use an HRA administrator, like PeopleKeep. Schedule a call with one of our HRA specialists to find out how we make offering a QSEHRA easier.

This blog post was originally published on January 15, 2018. It was last updated on November 5, 2024.

1. ASPE Health Insurance Portability and Accountability Act of 1996
2. HHS The HIPAA Privacy Rule
3. Anstrex
4. The HIPPA Journal