HIPAA in the Workplace: What Employers and Consultants Should Know About FSAs, HRAs, and Employee Health Information
HIPAA is one of the most referenced workplace privacy laws, yet it’s also one of the most misunderstood. Employers, HR teams, and consultants often find themselves navigating questions about how HIPAA applies to group health plans, what it means for flexible spending accounts (FSAs) and health reimbursement arrangements (HRAs), and how employee health information should be handled inside the organization.
A lot of the confusion comes from the fact that HIPAA applies very specifically to the group health plan—not to all health-related information an employer may have. Once employers understand that distinction, the rest of the requirements begin to fall into place.
Keep reading to learn how HIPAA applies to FSAs and HRAs, the core responsibilities employers have as plan sponsors, and the workplace myths that tend to cause the most uncertainty.
HIPAA and Employer-Sponsored Group Health Plans
Health care FSAs and HRAs are considered group health plans under HIPAA. That means they must comply with HIPAA’s Privacy and Security Rules, including requirements for documentation, notices, and safeguards. Employers often work with a third-party-administrator to support these plans. In those situations, the administrator is considered a business associate of the health plan and must follow HIPAA’s standards as well.
Key HIPAA Requirements for FSAs and HRAs
While HIPAA can feel complex, its core requirements for group health plans can be grouped into a few straightforward categories.
Plan Documentation
The plan document must include language describing the allowed uses of protected health information (PHI), which employer personnel are authorized to access PHI for plan administration, and how plan operations are kept separate from employment decisions. This documentation must be in place before the plan shares PHI with the employer. EBC’s plan document templates include the required HIPAA provisions to support these compliance needs.
Notice of Privacy Practices
Employees participating in a health care FSA or HRA must receive a Notice of Privacy Practices. This notice explains how the plan protects PHI and outlines participant rights such as requesting restrictions, accessing their information, or submitting complaints. Employers that use a wrap plan document may not need to issue a separate Notice of Privacy Practices for their health care FSA and/or HRA if those components are fully integrated into the wrap plan. In those cases, the wrap plan’s existing Notice of Privacy Practices may satisfy the HIPAA privacy notice requirement for all included benefits. EBC provides a customizable Notice of Privacy Practices that employers can share with participants.
Business Associate Agreements
When a vendor assists the plan with claims or other functions involving PHI, a business associate agreement is required. This agreement ensures the vendor follows HIPAA’s standards for protecting PHI and reporting issues. EBC offers a standard Business Associate Agreement for FSA and HRA clients.
HIPAA Operational Rules
Beyond documents and notices, HIPAA includes several day-to-day requirements that influence how an FSA or HRA is administered.
Minimum Necessary
HIPAA requires plans and their business associates to use and disclose only the minimum amount of PHI needed to accomplish a particular task. For example, employers may receive summary information for plan administration (e.g., total claims paid or aggregate utilization trends), but not individual diagnosis codes or line item claim details unless required for a specific administrative function and permitted by plan documents.
Authorized Users
Only personnel identified in the plan document may access PHI, and only for permitted plan administration purposes. Employers must clearly separate employees who perform plan functions from those involved in hiring, firing, or performance reviews to prevent PHI from influencing employment decisions. In addition, business associates and their subcontractors may access PHI when necessary to perform the services outlined in their Business Associate Agreements, but only to the minimum extent required to carry out those contracted functions.
Safeguards
Plans must implement administrative, technical, and physical safeguards to protect PHI. That includes training for employees who handle PHI, procedures for storing and transmitting information securely, and practices for preventing unauthorized access.
These requirements apply to both the health plan and any business associates that support it.
Common Myths About HIPAA in the Workplace
Even with clear rules in place, certain myths tend to persist in workplace conversations about HIPAA.
“HIPAA applies to all medical information employers receive.”
HIPAA applies only to PHI held by a group health plan or its business associates. Other records—such as workers’ compensation files, ADA accommodation documents, or FMLA certifications—fall under different laws.
“The employer can see whatever information it wants because it sponsors the plan.”
Employer access to FSA or HRA information is limited to employees authorized in the plan document, and only for plan administration activities. Claims information cannot be used for employment decisions.
“Employees can’t discuss their own medical issues at work.”
Employees may share their own information if they choose. HIPAA limits what the health plan may disclose, not what employees may say.
“HIPAA always applies to workplace wellness programs.”
Whether HIPAA applies depends on how the program is structured. Some wellness programs are tied to the group health plan and are subject to HIPAA, while others are not.
Making HIPAA Compliance Manageable
Employers offering FSAs and HRAs are responsible for making sure their plans follow HIPAA’s requirements, but those requirements become much clearer once the distinctions between plan information and employment information are understood. With the right documentation, controlled access to PHI, and appropriate safeguards, employers can manage their responsibilities confidently and help ensure participant information remains protected.