Small employers are increasingly seeking innovative ways to provide their employees with health benefits amid rising health insurance costs. The qualified small employer health reimbursement arrangement (QSEHRA) is a popular solution. These employer-funded plans allow companies to reimburse employees for qualified medical expenses. They provide valuable flexibility and budget control.
Becuase the QSEHRA is a formal health plan, it requires employers to follow specific rules and procedures. One of these is the responsibility of adhering to HIPAA’s privacy standards to protect sensitive health information.
In this article, we'll review the HIPAA Privacy Rule and how it applies to the QSEHRA. We’ll also cover what businesses need to know to comply with HIPAA privacy requirements.
In this blog post, you'll learn the following:
- How the QSEHRA compares to a traditional group health plan.
- What's considered protected health information under a QSEHRA.
- What small business owners must do to follow the HIPAA Privacy Rule.
The QSEHRA is a health benefit that allows small business owners to reimburse their eligible employees tax-free for more than 200 types of out-of-pocket healthcare expenses.
Some QSEHRA-eligible expenses include:
Congress designed the benefit for businesses with fewer than 50 full-time equivalent employees (FTEs). QSEHRAs are cost-effective alternatives to traditional group health insurance plans. Plus, eligible employees can choose the health insurance coverage that works best for them instead of getting stuck with a one-size-fits-all employer-funded group health plan. This makes it a valuable tool for attracting and retaining talent while alleviating the financial strain of healthcare costs.
The Health Insurance Portability and Accountability Act of 19961 (HIPAA) is a law that sets standards for protecting sensitive patient health information. Its primary purpose is to ensure that individuals' medical records and other personal health information are adequately safeguarded against unauthorized access and breaches.
Much of the legislation applies only to health plans covering more than 50 employees. But certain portions of HIPAA apply to all plans—including the QSEHRA. Regardless of the number of participants, all health plans must observe the HIPAA Privacy Rule2.
The HIPAA Privacy Rule is a set of national standards designed to safeguard individuals' protected health information (PHI).
The rule regulates how employee PHI is shared outside of the health plan. Businesses that provide employee health benefits must follow these rules.
PHI is defined as information, including demographic data, that relates to:
For the QSEHRA, PHI will most often occur in the form of documentation like receipts. A QSEHRA requires benefit administrators to verify that the participant incurred a qualified medical expense.
This can include:
PHI can exist in electronic, paper, or oral format.
To follow the HIPAA Privacy Rule, small employers offering a QSEHRA must protect employees' PHI. They can’t use this information for employment-related actions. Employers offering this benefit typically outline how they will protect PHI in the QSEHRA plan documents. Plan documents should note the safeguards the business will take for securing the PHI. This includes physical, electronic, and other forms of technical security.
Hiren Shah is the founder of Anstrex3. As a small business owner, he believes that following HIPAA rules is crucial for protecting employee privacy and building trust. He recommends using separate data storage for medical details.
"Instead of storing health-related information alongside general HR files, create a distinct storage system—either a secure digital repository or a dedicated physical space—for QSEHRA-related medical data," Shah said. "This segregation adds an extra layer of security."
Secure communication channels can also keep PHI safe.
"Avoid using standard email for any health information," Shah said.
He suggests using HIPAA-compliant communication tools, such as encrypted messaging platforms or secure employee portals, where only verified personnel can access the information.
Small businesses must also designate HIPAA privacy officers through their plan documents. HIPAA privacy officers are the individuals or groups who have access to QSEHRA participants' PHI and ensure its protected through adherence to HIPAA. Privacy officers may also designate other people who can view the PHI. These officials are almost always the same person or group as the plan administrator.
Finally, the business must establish a process for employees to file claims appeals and outline how the process will work.
Civil penalties for violating HIPAA vary based on severity4:
Intentional violations can result in additional fines and jail time. Additionally, state laws could impose more penalties for the same offenses.
Following HIPAA privacy regulations when managing a QSEHRA takes considerable effort. Businesses must organize plan documents properly, and administrative procedures must guarantee that only designated privacy officers have access to employees' PHI. This can be challenging since the benefit depends on employees consistently submitting PHI.
Many small businesses use a QSEHRA administration tool, like PeopleKeep, to manage their health benefit. With PeopleKeep, our dedicated team handles the difficult tasks for you. We create legal plan documents with compliant HIPAA language and review reimbursements containing employees' PHI. That way, you never come into contact with PHI, so your business isn't burdened with it.
The QSEHRA is a cost-effective way for employers to offer health coverage to their eligible employees. However, understanding the regulations surrounding the qualified small employer health reimbursement arrangement (QSEHRA) and HIPAA is crucial for any employer considering this option.
Following compliance regulations helps protect your employees' information. It also prevents legal issues related to the misuse of health data. To make sure all legal requirements are met, most small employers use an HRA administrator, like PeopleKeep. Schedule a call with one of our HRA specialists to find out how we make offering a QSEHRA easier.
This blog post was originally published on January 15, 2018. It was last updated on November 5, 2024.