Setting up your own HRA without an HRA administrator can be confusing and time-consuming, from the compliance requirements to the administrative burden. It’s important to stay compliant or the IRS could deem your HRA to be invalid and all of your reimbursements to be taxable (for both you and your employees). Yikes. So when we get the question, “Can an employer administer their own HRA?” we have to say “No.” Here’s why!
HRAs and Private Health Information
This is the big one. For reimbursements to be tax-free, you have to substantiate that employees are using it to pay for health insurance and medical expenses. You can just have employees submit receipts to you, right? Well, the catch is information about your employees’ medical expenses (including individual insurance premiums) is considered Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
PHI (Protected Health Information) comes in all sorts of communication forms, including hard documentation, emails and telephone calls. Here are a few "real life" examples that could come into play when an employee submits verification for qualifying medical expenses to an employer.
- A bill from a doctor's visit
- An MRI scan
- Lab work results
- Phone records
- Explanation of benefits
- An email to a doctor's office asking about a medication
- Appointment scheduling card from doctor
- Referral documentation
- Documentation from health claims
- Benefit information or payments
- Social security numbers, medical record numbers, fax numbers, phone numbers, health insurance beneficiary numbers, etc.
Given the nature of an HRA and the private health information involved filing reimbursements for qualified medical expenses, privacy is a big issue, even before we get into the whole HIPAA aspect of it (more on that below). As an employer, you would have access to personal information about your employees' health. This could be potentially uncomfortable for everyone involved.
It's a hassle for employers to keep up with medical receipts and time-consuming to maintain them in a secure way. The IRS requires businesses to keep records up to 7 years. That means you’ll need a secure way to keep your employees’ medical receipts and their PHI secure and safe for up to 7 years. The organizational method of receipts in a shoebox isn't going to cut it.
HRAs and HIPAA Compliance
Because small business HRAs (QSEHRA) are designed for companies with less than 50 employees, it doesn’t technically fall within many of the federal laws that affect health plans built for larger corporations. But that doesn't mean you are off the hook when it comes to HIPAA (the Health Insurance Portability and Accountability Act of 1996) for both ICHRA and QSEHRA.
Here's why. Because all health plans must observe the HIPAA Privacy Rule, regardless of the company's size. This rule protects patients' personal health information (PHI), meaning the hard documentation, emails, and telephone calls regarding an individual's health information.
Leveraging an HRA administrator provides a necessary layer of privacy.
For reimbursements to be tax-free, employers have to substantiate that employees are using funds to pay for health insurance and medical expenses. However, having employees submit receipts directly creates a significant problem because information about employees’ medical expenses (including individual insurance premiums) is considered Protected Health Information under HIPAA. Employers asking for employee medical records is a HIPAA privacy violation.
Penalties for HIPAA noncompliance are no joking matter. From the less-serious "Reasonable Cause" to the more-serious "Willful Neglect," these civil penalties can range from $100 to $50,000 per incident with no jail time to more serious offenses resulting in up to $250,000 in fines and 10 years in prison, especially if information was taken under false pretenses or disclosed on purpose.
If that wasn't enough of a deterrent, state laws could impose additional penalties for the same offenses. Also, even if you didn't intend for noncompliance to occur or it was an accident, you are still liable. There is no safe haven here.
In case you haven’t noticed, healthcare policy is constantly changing. HRAs, for example, are new and evolving. The bipartisan nature of HRAs gives us confidence they will be around for the long-term, but we expect small adjustments and regulatory refinements along the way. Do you really want to keep up with that yourself?
Let us help you administer your HRA!
With your employees' privacy and costly violations on the line, why chance it? Let Take Command Health's QSEHRA administration tool do all the heavy lifting for you. We can also get you set up with an ICHRA if that’s a better fit for your business.
You'll never have to hassle with receipts or worry about setting up a health plan again.
Our platform drafts plan documents with HIPAA compliant language and instant updates, and takes care of HRA administration requirements like reviewing documents that contain protected health information. We'll also handle all the accounting and legal legwork, take care of onboarding each of your employees, and make tax time easy and painless.