The QSEHRA and HIPAA Privacy Requirements: What Are the Rules?
By: Caitlin Bronson, Zane Benefits, January 2018
The qualified small employer health reimbursement arrangement (QSEHRA) was designed specifically for small businesses with fewer than 50 employees. As such, it isn’t subject to many of the federal laws that affect larger employee health plans.
One such law is HIPAA (the Health Insurance Portability and Accountability Act of 1996). Outlining data privacy and security provisions for medical information, much of the legislation applies only to health plans covering more than 50 employees.
But certain portions of HIPAA apply to all plans—including the QSEHRA.
Regardless of the number of participants, all health plans must observe the HIPAA Privacy Rule. This rule controls when the health plan can and cannot share health information with the company sponsoring the plan.
In this post, we’ll review the HIPAA Privacy Rule, how it applies to the QSEHRA, and what businesses need to know to comply with HIPAA privacy requirements.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule is a set of national standards designed to safeguard individuals’ protected health information (PHI).
For businesses offering an employee health benefit, the rule controls the conditions under which employee PHI will be shared outside the health plan, including with the company sponsoring the plan.
PHI is defined as information, including demographic data, that relates to:
the individual’s past, present, or future physical or mental health condition;
the provision of health care to the individual; or
the past, present, or future payment for the provision of health care to the individual;
and that identifies the individual or contains enough information that there’s a reasonable basis to believe it could be used to identify the individual.
What is considered PHI under a QSEHRA?
For the QSEHRA, PHI will most often occur in the form of documentation verifying that the participant incurred a qualified medical expense.
This could include:
– Documentation of doctor’s visits
– Notes made by physicians and other provider staff
– Health care payment and remittance advice
– Coordination of health care benefits
– Health care claim status
– Health policy premium payments
– Referral certifications and authorization
– First report of injury
– Health claims attachments
PHI could occur in electronic, paper, or oral format.
What must small businesses do to comply with the HIPAA Privacy Rule and protect PHI while administering a QSEHRA?
To comply with the HIPAA Privacy Rule, small businesses offering a QSEHRA must certify that employees’ PHI will be protected and not used for employment-related actions. This certification usually occurs in the QSEHRA plan documents and should note the safeguards the business will take for securing the PHI (including physical, electronic, and other forms of technical security).
Small businesses must also designate HIPAA privacy officers through their plan documents. HIPAA privacy officers are the individual or group who will be exposed to the QSEHRA participants’ PHI. HIPAA privacy officers may also designate other people who can be exposed to PHI.
These officials are almost always the same person or group as the plan administrator.
Finally, the business must establish a process for employees to file claims appeals and outline how the process will work.
What penalties could a business face for HIPAA Privacy Rule violations?
If a small business administering a QSEHRA violated the HIPAA Privacy Rule, it could face civil penalties of $100 per violation. These penalties can stack if there are multiple violations affecting a single individual.
The maximum civil penalties are $25,000 per year, per person, per standard.
For example, if two standards were violated with respect to one employee, the penalties could amount to as much as $50,000.
Criminal penalties could also come into play if information was “knowingly and improperly” disclosed, or if information was obtained under “false pretenses.” These fines could reach up to $250,000 and ten years in prison.
Additionally, state laws could impose additional penalties for the same offenses.
How do most small businesses handle HIPAA privacy regulations while administering a QSEHRA?
Complying with HIPAA privacy regulations like the Privacy Rule while administering a QSEHRA requires a great amount of work from a small business. Not only must plan documents be structured correctly, but administration procedures must also ensure no one outside of designated privacy officers has access to employees’ PHI.
Because the benefit relies on employees submitting PHI on a regular basis, this can be difficult.
Most small businesses today rely on personalized benefits automation software solutions to offer and administer a QSEHRA. These solutions draft plan documents that include compliant HIPAA language and update them in real time. They also take care of QSEHRA administration requirements like reviewing documents with employees’ PHI so the business doesn’t have to.
And there are time savings as well. With a personalized benefits automation software solution like PeopleKeep, small businesses spend an average of 5 to 15 minutes a month administering a QSEHRA.
Conclusion
In an era when high-profile data breaches are common, anxiety over personal privacy has never been higher. In addition to legal requirements, small business employees expect their companies to protect their health information.
Complying with HIPAA privacy requirements is therefore a matter of both legal necessity and best practice when offering a QSEHRA.
To make sure all requirements are met, most small businesses use a personalized benefits automation software solution.
Categories
- Benefits Resources
- Bonding
- BOP
- Business Insurance
- Commercial Auto
- Commercial Property
- Company News
- Construction
- Crime Insurance
- Cyber Insurance
- Directors & Officers
- Employee Benefits
- Employment Practice Liability Insurance
- Entertainment
- General Liability
- Health Insurance
- Healthcare
- Healthcare Reform
- Homeowners Insurance
- Hospitality
- Manufacturing
- Medical Malpractice
- Mining & Energy
- Nightclubs
- Personal Auto
- Personal Insurance
- Professional
- Restaurants
- Retail & Wholesale
- Risk Management Resources
- Safety Topics
- SBA Bonds
- Security
- Seminars
- Technology
- Tourism
- Transportation
- Uncategorized
- Workers Compensation
Archives
- May 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- November 2018
- September 2018
- August 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- February 2013
- November 2011
- October 2011
- September 2011
- July 2011
- June 2011
- March 2011
- November 2010
- October 2010
- September 2010
- April 2010
- February 2010
- November 2009
- October 2009
- November 2008
- August 2008