Does HIPAA apply to HRAs?

HIPAA applies to Health Reimbursement Arrangements (HRAs) because the plans involve handling protected health information (PHI). HRAs are account health plans that employers use to reimburse employees for medical expenses. HRAs are considered group health plans, subjecting them to the same privacy and security as other health plans. 

When an employee submits a claim for reimbursement, the HRA administrator must verify the medical expense, which involves accessing PHI. The process triggers HIPAA compliance requirements including the need to implement privacy and security measures to safeguard PHI.  

Who does HIPAA apply to? 

HIPAA applies to a specific set of entities known as covered entities, which consists of health plans, healthcare providers, and healthcare clearinghouses. These organizations fit into their role as covered entities due to their creation, receipt, maintenance, or transmission of PHI in the course of electronic transactions.

Does HIPAA apply to HRAs? 

According to the HHS Health Reimbursement Arrangements Webpage, “Health reimbursement arrangements (HRAs) are a type of account-based health plan that employers can use to reimburse employees for their medical care expenses.”

Under HIPAA, a group health plan is any plan that provides or pays for medical care, which includes employer-sponsored arrangements like HRAs. Because HRAs process and store employees’ PHI, such as medical expenses and reimbursement claims, they must comply with HIPAA’s requirements to protect PHI. 

Since HRAs are employer-funded plans that reimburse employees for qualified medical expenses, including insurance premiums and out-of-pocket costs, they fall within the definition of a group health plan and are therefore subject to HIPAA’s Privacy, Security, and Breach Notification Rules.

How to ensure HIPAA compliance in HRAs

1. Organizations must create and enforce policies that align with HIPAA standards to protect sensitive health data in HRAs.
2. Regular audits are needed to help identify and address any gaps in compliance with HIPAA regulations.
3. All electronic health data within HRAs must be encrypted to prevent unauthorized access.
4. Detailed logs of all transactions related to HRA data should be maintained to track access and modifications.
5. Regular training for employees handling PHI is necessary to ensure they understand and adhere to HIPAA guidelines.
6. Organizations must execute business associate agreements with vendors who handle PHI to ensure secure data handling.
7. Organizations should have a plan in place to respond promptly to data breaches or unauthorized access incidents.
8. When communicating PHI via email, organizations should use HIPAA compliant email services that offer encryption and have a Business Associate Agreement in place to protect sensitive health information.

FAQs

What types of HRAs are available?

There are several types of HRAs, including the Qualified Small Employer HRA (QSEHRA), Individual Coverage HRA (ICHRA), and Group Coverage HRA (GCHRA). Each has different eligibility criteria and rules.

What expenses can be reimbursed through an HRA?

HRAs can reimburse expenses such as health insurance premiums, deductibles, copayments, prescription drugs, and preventive services, as defined by the IRS.

Can employees use HRA funds for family members?

Yes, HRA funds can be used for eligible medical expenses of an employee’s spouse and dependents.