Reimbursing your employees tax-free for health insurance premiums and qualified medical expenses is simple and easy. But HRAs are all subject to several laws and legal requirements that you won't want to overlook. Here's what to know about QSEHRA compliance and how to avoid penalties.
Disclaimer: We always (always, always) recommend that business owners consult with a CPA or lawyer to ensure that all relevant laws are followed. While there are several laws that apply to everyone (which we will cover in this post), there are state-specific regulations and other laws that may be unique to your situation. Better to do your homework.
What are the legal requirements for QSEHRA compliance?
There are several laws that govern the world of HRAs. First we will start with requirements that center on communicating the benefit, either to the IRS or your employees.
- Reporting: The employer must report the amount of benefit the employee was eligible for on the W-2 box 12 using code FF to remain compliant.
- Written Notice: Employer must provide its eligible employees a written notice to each eligible employee at least 90 days before the beginning of each year or, for an employee who is not eligible to participate at the beginning of the year, the date on which the employee is first eligible to participate in the QSEHRA. Here's why this is important: IRS Section 6652(o): Penalty of $50 per employee (up to a maximum of $2,500 per calendar year per eligible employer) for failure to provide the written notice.
Good news: QSEHRA isn't considered a group plan, so it's not subject to COBRA.
While it is subject to general ERISA requirements, it isn't actually subject to ERISA.
QSEHRA compliance and HIPAA
Another major requirement that's extremely important to adhere to is HIPAA. Because small business HRAs are designed for companies with less than 50 employees, it doesn’t technically fall within many of the federal laws that affect health plans built for larger corporations. But that doesn't mean you are off the hook when it comes to HIPAA (the Health Insurance Portability and Accountability Act of 1996). Some parts of HIPAA still apply to small business HRAs. That's because all health plans, including those reimbursed through a Qualified Small Employer HRA, must observe the HIPAA Privacy Rule, regardless of the size of the company. This rule is designed to protect patients' PHI (protected health information like a bill from a doctor's visit or an MRI scan or lab results).
Penalties for HIPAA noncompliance range from the less-serious "Reasonable Cause" to the more-serious "Willful Neglect," costing you $100 to $50,000 per incident with no jail time for the lesser of the two, or up to $250,000 in fines and 10 years in prison if it's more serious (like if information was taken under false pretenses or disclosed on purpose).
State laws could add even more penalties on top of those consequences. Even if you didn't mean to be noncompliant or it was an accident, you are still on the hook.
Here are a few rules HIPAA compliance rules to keep in mind:
- A company is responsible for ensuring plan documents and software are up to date and compliant with the most recent changes.
- Employees' PHI cannot be used to make any work-related decisions. Example: You can't fire someone based on shared health information.
- A system must be in place to protect all sensitive information at all times.
- HIPAA compliant procedures and documentation should be included in your small business HRA contract documents and should list any actions you plan to take to ensure your employee’s PHI is fully protected.
- HIPAA privacy officers must be identified within the business to handle sensitive information. Administration procedures must ensure no one outside of the designated privacy officers has access to employees’ PHI.
Other requirements for QSEHRA
To be thorough here, it's important to ensure that your business is indeed eligible to offer a QSEHRA. The requirements are: 1) be "small" with less than FTE employees, and 2) not offer a group plan.
For employees to be eligible to participate, they must have a health plan that meets Minimum Essential Coverage requirements. MEC is easy to achieve if you have a major medical plan or are covered by your spouse's employer-sponsored plan. But what if you would like to use an alternative plan like a sharing ministry, short-term plan, indemnity plan, or another type of plan? These types of plans will not meet the MEC requirement on their own. Check out our post on where to buy MEC plans for QSEHRA to understand the details.
Take Command Health is a recognized leader in QSEHRA administration and small business HRA tax strategy. We know that QSEHRA compliance can be confusing. The good news is that if you choose a third-party HRA administrator to manage your QSEHRA (like Take Command Health!), we take care of all of this for you and ensure that you remain compliant and out of trouble. It's a lot less stressful, we promise.
Other helpful resources:
Chat with our team any time on our website and we would be happy to help walk you through any questions you may have.