The Joint Committee on Employee Benefits (JCEB) of the American Bar Association has posted transcripts of the 2005 Q & A Sessions with the following governmental agencies:
- Centers for Medicare and Medicaid Services (CMS)
- Equal Employment Opportunity Commission (EEOC)
- Health and Human Services (HHS)
- Internal Revenue Service & U.S. Department of Treasury (IRS)
- Pension Benefit Guaranty Corporation (PBGC)
Highlights of the IRS session include Q & As discussing Internal Revenue Code section 409A, health savings accounts, and automatic rollover provisions.
Note also this excerpt from the Health and Human Services session:
Question 5: Is a Health Savings Account (HSA) subject to the HIPAA privacy rules? If the answer is yes, who has the responsibility for ensuring that the HIPAA privacy requirements are met, the individual account owner, the custodian or trustee of the HSA, or an employer who maintains the related High Deductible Health Plan?Proposed Answer 5: The privacy rules apply to “covered entities,” which include health plans, health care clearinghouses, and health care providers. The definition of health plan includes individual and group plans that provide or pay for the cost of medical care.
Although the definition of health plan is broad enough to include HSAs established by an individual with no involvement on the part of the individual’s employer, the privacy rules were not intended to apply in this context. The privacy rules serve, in part, to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being. As the Department of Labor noted in Field Assistance Bulletin 2004-1, “HSAs are personal health care savings vehicles rather than a form of group health insurance.” Furthermore, funds held in an HSA need not be used exclusively for the payment of medical care (although they may lose certain tax benefits if they are used for other purposes). HSAs were introduced as a means of promoting savings and assisting individuals with the high cost of health care. Subjecting HSAs to the burden of HIPAA compliance would discourage rather than promote savings because it would discourage trustees and custodians from offering such accounts and would add to the costs of maintaining them. In balancing the promotion of health care savings with the need to protect individuals’ health information, we believe the better approach is not to subject individual HSA accounts, nor the custodians or trustees that sponsor them, to the HIPAA privacy rules where there is no involvement by employers in the establishment or maintenance of the account.
Answer: HHS stated that it is coming to the conclusion that HSAs are not health plans and therefore are exempt from the HIPAA privacy rule. HHS is trying to distinguish between HSAs, which function more like individual savings accounts, and group health plans. HHS may issue further guidance on this issue in fall 2005.
Please note that the JCEB website provides the following disclaimer:
The questions are submitted by ABA members and the responses are given at a meeting of JCEB and government representatives. The responses reflect the unofficial, individual views of the government participants as of the time of the discussion, and do not necessarily represent agency policy.
You can access previous year Q & A sessions here as well.