We often get asked if a small business owner can administer a small business HRA for their employees. Can I administer a QSEHRA myself? The answer? Not really. Here's why experts don't recommend it...
Can I administer a QSEHRA myself?
There are a few very valid reasons why that isn't a great idea.
PRIVACY: For starters, given the nature of a small business HRA and the private health information it involves when it comes to filing reimbursements for qualified medical expenses, privacy is a big issue, even before we get into the whole HIPAA aspect of it (more on that below). As an employer, you would have access to personal information about your employees' health. This could be potentially uncomfortable for everyone involved.
PAPERWORK: It's a hassle for employers to keep up with medical receipts and time-consuming to maintain them in a secure way, not to mention the necessary paperwork that comes with it.
HIPAA COMPLIANCE: Ok, this is the big one. Because small business HRAs are designed for companies with less than 50 employees, it doesn’t technically fall within many of the federal laws that affect health plans built for larger corporations. But that doesn't mean you are off the hook when it comes to HIPAA (the Health Insurance Portability and Accountability Act of 1996). Some parts of HIPAA still apply to small business HRAs. Why? Because all health plans, including those reimbursed through a QSEHRA, must observe the HIPAA Privacy Rule, regardless of the company's size. This rule is designed to protect patients' PHI.
PHI (Protected Health Information) comes in all sorts of communication forms, including hard documentation, emails and telephone calls. Here are a few "real life" examples that could come into play when an employee submits verification for qualifying medical expenses to an employer.
- A bill from a doctor's visit
- An MRI scan
- Lab work results
- Phone records
- Explanation of benefits
- An email to a doctor's office asking about a medication
- Appointment scheduling card from doctor
- Referral documentation
- Documentation from health claims
- Benefit information or payments
- Social security numbers, medical record numbers, fax numbers, phone numbers, health insurance beneficiary numbers, etc.
Now that is a lot to keep track of.
What does it mean for a small business to be HIPAA compliant?
Here are a few rules to remain compliant with HIPAA:
- A company is responsible for ensuring plan documents and software are up to date and compliant with the most recent changes.
- Employees' PHI cannot be used to make any work-related decisions. Example: You can't fire someone based on shared health information.
- A system must be in place to protect all sensitive information at all times.
- HIPAA compliant procedures and documentation should be included in your small business HRA contract documents and should list any actions you plan to take to ensure your employee’s PHI is fully protected.
- HIPAA privacy officers must be identified within the business to handle sensitive information. Administration procedures must ensure no one outside of the designated privacy officers has access to employees’ PHI.
What are the HIPAA penalties for employers?
Penalties for HIPAA noncompliance are no joking matter. Fom the less-serious "Reasonable Cause" to the more-serious "Willful Neglect," these civil penalties can range from $100 to $50,000 per incident with no jail time to more serious offenses resulting in up to $250,000 in fines and 10 years in prison, especially if information was taken under false pretenses or disclosed on purpose.
If that wasn't enough of a deterrent, state laws could impose additional penalties for the same offenses. Also, even if you didn't intend for noncompliance to occur or it was an accident, you are still liable. There is no safe haven here.
QSEHRA administration, the better alternative
With your employees' privacy and costly violations on the line, why chance it? Let Take Command's QSEHRA administration tool do all the heavy lifting for you.
Our platform drafts plan documents with HIPAA compliant language and instant updates, and takes care of QSEHRA administration requirements like reviewing documents that contain protected health information. We'll also handle all the accounting and legal legwork, take care of onboarding each of your employees, and make tax time easy and painless. You'll never have to hassle with receipts or worry about setting up a health plan again.
Ready to get started? Click on that beautiful green button. You know you want to!
I wrote this blog because I care about ideas (big and little) that can help fix our healthcare system. I used to work on projects for Kaiser Permanente and the Parkland Health & Hospital System so I've seen the system inside and out. It's so important that consumers keep up with industry shifts and changing health insurance regulations. I'm also Take Command Health's Content Editor and a busy mom. Learn more about me and connect with me on our about us page. Thanks!