United States: HSAs and the HIPAA Privacy Rules: The Clash of the Acronyms

Since December 2003 when President Bush signed the Medicare Prescription Drug, Improvement and Modernization Act of 2003, many articles in the popular and legal press have reviewed the benefits and features of Health Savings Accounts ("HSAs"). Structured similarly to Archer Medical Savings Accounts, HSAs offer an impressive list of attractive features, including no use-it-or-lose-it, the ability to use the funds for non-medical purposes, self-substantiation of expenses, and the list goes on. (The features of HSAs are discussed in more detail in our prior Legal Alert of February 2004 at www.kilpatrickstockton.com/publications/legal_alerts.aspx .) The focus of this legal alert will be on an issue that has received little discussion—the impact of the HIPAA privacy rules on the operation and design of HSAs.

The Two Components of an HSA Design

Individuals enrolled in high-deductible health plans ("HDHPs") may establish HSAs to receive tax-favored contributions. Thus, an HSA design will have two components—the first component will be the HDHP and the second component will be the HSA. The HDHP may be sponsored by an employer, or it may be offered by an insurer. Either way the HDHP will be subject to the HIPAA privacy rules. However, the analysis of whether an HSA is also covered by the HIPAA privacy rules should not turn on the status of the HDHP under HIPAA. While every person who has an HSA will also have an HDHP, there is no requirement under the Code or ERISA that these two components be linked in any manner. In fact, the entities that provide the HDHP (e.g., employers and insurers) will in most situations not be the entities that will be providing an HSA (e.g., banks and trust companies). From this perspective, therefore, the HIPAA privacy status of HDHPs should not taint or affect the HIPAA privacy status of HSAs.

Is an HSA a "Health Plan" under the HIPAA Privacy Rules?

If an HSA satisfies the definition of a "health plan" under the HIPAA privacy rules, then the HSA is considered a "covered entity" and would need to comply with the applicable HIPAA privacy rules.

Definition of a "Health Plan." The definition of a "health plan" includes seventeen different arrangements and types of coverages. Of these seventeen arrangements and coverages, only two appear to be applicable to HSAs: (1) ERISA group health plans, and (2) any individual or group plan that pays for the cost of medical care. Both of these arrangements are discussed below.

ERISA Group Health Plans. The key issue here is whether an HSA should be considered an employee welfare benefit plan under ERISA. We understand the Department of Labor ("DOL") has been asked for an advisory opinion on this issue and, reportedly, a response is near. However, even assuming that an HSA is an ERISA welfare plan, if the HSA arrangement includes less than 50 participants and is self-administered by the employer, then the HSA would be excepted from the definition of a group health plan under the HIPAA privacy rules.

While many HSAs may have less than 50 participants in the aggregate, those that have 50 or more could make the argument that each employee’s HSA constitutes a separate "plan." Under this position, it would not matter how many employees had an HSA option through the employer because each one would be a separate individual plan. However, assuming you satisfy the less than 50 requirement, the "plan" must also be self-administered to satisfy the exception. In this regard, another gray area exists regarding whether HSAs can be considered self-administered by the employer. On the one hand, the Department of Health and Human Services ("HHS") could argue that HSAs are not self-administered, because the HSA bank or trust company is partly administering the HSA. On the other hand, an employer could argue that the administration of the HSA (for purposes of the employer) ceases when contributions and salary deferrals are sent to the HSA trustee for deposit in the employee’s account. Any administration of the HSA account after that event, is the employee’s responsibility (and not the employer’s). Further, the fact that the employee is responsible need not be a problem in the HIPAA analysis, because employees always have some responsibilities with respect to the operation of a health plan. Indeed, the argument would be that, if this were a problem, there would be no self-administered health plans. If this argument is successful, the self-administered exception could apply.

However, if the HSA cannot be considered self-administered or has 50 or more participants, the exception would not apply and the issue would then turn on whether the HSA is a welfare benefit plan under ERISA. In general, under ERISA, each of the following three requirements must be satisfied to have an ERISA welfare benefit plan:

  1. There must be a plan, fund or program;
  2. The plan must be established or maintained by the employer; and
  3. The purpose of the plan must be to provide ERISA-covered benefits (e.g., medical benefits) to participants and beneficiaries.

An HSA most likely satisfies the first requirement because it is a plan or a program, so the real focus is on the other two requirements. Of the remaining two requirements, the one that has a more familiar line of analysis is whether the plan is established or maintained by the employer. In general, the establishment and maintenance of a plan by an employer is a facts and circumstances analysis that DOL has explicated previously, e.g., in connection with IRAs. Under this traditional DOL analysis, if the employer takes a limited role with regard to HSA administration and design, the HSA should not be established or maintained by the employer and should not be an ERISA plan.

Thus, if the employer merely provides the HDHP (either directly or through an insurer) and then requires employees to establish their own HSA accounts, the HSA need not be an ERISA plan. However, if the employer envelops itself in the administration of the HSA—for example, selects a single, specific HSA trustee, assists employees in establishing HSA accounts and identifies the employer with the HSA structure offered—then under prior DOL guidance applicable to IRAs, the HSA should be considered established or maintained by the employer. In addition, if the employer makes its own contributions to the HSA, the HSA would be considered established or maintained by the employer. However, allowing only employee salary reduction should not be fatal, but it could make it more difficult to avoid an excessive role with respect to the HSA than would be the case if all funding occurred through only tax-deductible employee contributions.

The remaining requirement of whether the plan provides ERISA-covered medical benefits involves a less familiar line of analysis and may have contributed to DOL’s taking some time to respond to the pending advisory opinion request. For example, an employer could argue that there is no requirement that an HSA provide medical benefits because it is a dual-purpose account. The HSA may reimburse medical costs and it may also reimburse any other non-medical costs as well. At the same time, HSA accounts are focused preferentially on medical care reimbursements, because these reimbursements are tax-free, while distributions for non-medical care expenses are subject to income taxation and in most circumstances a 10% penalty tax. However, is that enough? In any event, this is a substantial issue that may be answered soon by DOL, but otherwise employers will have to decide for themselves when determining whether to offer HSAs to their employees.

Individual or Group Plans that Pay for Medical Care. Under the HIPAA privacy rules, any individual or group plan that provides or pays for the cost of medical care is deemed to be a "health plan." This is sometimes referred to as the catch-all provision. Assuming the HSA is not considered an ERISA plan, it is possible that the HSA could still be a "health plan" under the catch-all provision. The reason for this is that the catch-all provision does not require the HSA to be established or maintained by the employer. It looks solely to whether the HSA provides or pays for medical care. In essence this gets back to the same question noted above with respect to whether the HSA is sufficiently focused on medical benefits to make it subject to ERISA. However, because this question will be answered by HHS, it is possible that DOL and HHS could answer it differently (e.g., if DOL decided an HSA’s dual purpose character prevented it from being an ERISA welfare plan providing health benefits, it is still conceivable that HHS could decide that an HSA is a health plan under the HIPAA privacy rules because it comes within the catch-all provision.)

If an HSA is a "health plan" under the catch-all provision, the HSA would be a "covered entity." However, who is responsible for its compliance? ERISA welfare plans have a plan administrator (who is typically the employer or a committee composed of the employer’s employees) that act on behalf of the ERISA welfare plan. In that situation, the plan administrator would be responsible for HIPAA privacy compliance. If the HSA is not an ERISA welfare plan, however, there is no one directly responsible to act on the HSA’s behalf. Thus, in this situation an employer could argue that it is not responsible for the HSA’s compliance with the HIPAA privacy rules, because it has no authority or liability with respect to the "health plan." On the other hand, HHS could argue that the employer is still responsible for the HIPAA privacy compliance of the HSA because the employer has the closest nexus to the HSA.

What Happens if the HSA is a HIPAA Health Plan?

Because it is conceivable that an HSA may be considered a health plan under the HIPAA privacy rules, we address the application of both the HIPAA privacy rules and the HIPAA electronic data interchange ("EDI") rules below.

HIPAA Privacy Rules. If an HSA is considered a HIPAA-covered health plan sponsored by the employer and no exemption applies, the employer would be responsible for complying with the HIPAA privacy rules because the HSA is considered to be self-insured. This would include, among other things, adopting policies and procedures, amending the HSA plan documents to include the required HIPAA language, distributing a privacy notice to covered employees and appointing a privacy official. Another requirement is to execute a business associate agreement with any applicable service providers. An HSA service provider will be a business associate, if the service provider (1) receives individually identifiable health information from or on behalf of the HSA, or (2) otherwise provides legal, accounting, actuarial, consulting, management, administrative or financial services to or for the HSA.

For HSAs, the most important service provider will be the bank or trustee that holds the HSA accounts. In analyzing whether the bank or trustee is a business associate, you must examine the information received by the bank or trustee from both the employer and the employees. The information received from employers will consist of participant names and contribution amounts. This type of information could fit under the exception for enrollment information maintained by the employer, which may be shared with the bank or trustee without first obtaining a business associate agreement (i.e., enrollment information maintained by the employer is not covered by the HIPAA privacy rules).

On the employee side, an employer could argue that because the employee self-substantiates his/her own expenses, the HSA bank or trustee will not need any health information to authorize a distribution. The employee would simply request a distribution of a certain dollar amount, and the bank or trustee would send the funds. However, the issue here is that the definition of individually-identifiable health information includes information related to the payment of health care. Thus, even though the bank or trustee may not receive actual health information (e.g., the bank would not receive copies of EOBs like a health flexible spending account administrator would), the bank does receive requests related to the payment of health care.

On this issue, HHS has made the following statements in the preamble to the HIPAA privacy rules:

"We do not consider a financial institution to be acting on behalf of a covered entity, and therefore no business associate contract is required, when it processes consumer-conducted financial transactions by debit, credit or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilities or effects the transfer of funds for compensation for health care (emphasis added). A typical consumer-conducted payment transaction is when a consumer pays for health care or health insurance premiums using a check or credit card. In these cases the identity of the consumer is always included and some health information (e.g., diagnosis or procedure) may be implied through the name of the health care provider being paid." (See, 65 Fed. Reg. 82476 (December 28, 2000) and HHS FAQ, Page 43 (December 3, 2002)).

Based on the above language, despite the presence of potential PHI, the processing of consumer-conducted transactions or any other activity that facilitates the transfer of funds for compensation for health care do not rise to the level of a bank being treated as a business associate under the HIPAA Privacy Rules. Therefore, because employees would only need to tell their HSA bank or trustee of the distribution amount and where to send the funds, it is seems reasonable that an employer could argue that the HSA bank or trustee does not receive any individually-identifiable health information. If this argument is successful, the HSA bank or trustee would not satisfy the first business associate test.

Assuming that the HSA bank or trustee does not satisfy the first business associate test, does it satisfy the second test by providing "financial services" to the HSA? There appears to be no further definition of "financial services" in this context, but based on the above language in the preamble the bank’s or trustee’s role should be viewed as being no more than simply conducting a regular banking transaction.

HIPAA EDI Rules. If an HSA is considered a HIPAA-covered health plan, it appears that the normal transactions that would occur with an HSA would not be covered by the HIPAA EDI rules. For example, both employee contributions and employer contributions should not trigger the application of the "health plan premium payment" transaction, because employees and employers are not covered entities under the HIPAA EDI rules. Similarly, distributio ns from an HSA account should also not be covered by the HIPAA EDI rules because they are requested by the employee—a non-covered entity—meaning that the "health care claim " and "health care payment" transactions should not be triggered. Even HSAs that allow individuals access to their HSA balances through a debit or credit card arrangement would not be covered by the HIPAA EDI rules based on the ruling by HHS in September 2003 exempting these cards from the EDI rules.


Currently there are too many variables and unknowns to say definitively whether HSAs will, in fact, be covered or not covered by the HIPAA privacy rules. However, employers may be able to structure their HSA arrangements in a way that allows a reasonable, initial assessment that HIPAA should not apply. Still, this is one area to which employers should pay close attention as developments arise.

The information contained in this article is not intended as legal advice or as an opinion on specific facts. For more information about these issues, please contact the author(s) of this article or your existing firm contact. The invitation to contact the author is not to be construed as a solicitation for legal work in any jurisdiction in which the author is not admitted to practice. There will be no charge for the initial contact. Any attorney/client relationship must be confirmed in writing. You may also contact us through our Web site at www.kilpatrickstockton.com

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions