| Blog

HIPAA Privacy Rule - What Employers Need to Know for Section 105 Reimbursement Plans

Written by: PeopleKeep Team
June 20, 2014 at 11:00 AM

When an employer uses a Section 105 Medical Reimbursement Plan to reimburse employees tax-free for personal health insurance premiums or medical expenses, they should ensure they comply with the HIPAA Privacy Rule.


A Section 105 Medical Reimbursement Plan ("Section 105 Reimbursement Plan") is a self-funded health plan and is governed by HIPAA Privacy Rules. Section 105 Plans include Integrated HRAs, used for reimbursement of deductible and medical expenses, and Healthcare Reimbursement Plans (HRPs), used for premium reimbursement.

In order to administer a Section 105 Reimbursement Plan, the entity processing employee claims receives Protected Health Information (PHI) that is protected by HIPAA. Employers that do not comply can be subject to civil penalties of up to $100 per violation.

Let's take a closer look at the HIPAA Privacy Rule and how it affects employers when administering a Section 105 Reimbursement Plan.

What is the primary purpose of the HIPAA Privacy Rule for Reimbursement Plans?

The HIPAA Privacy Rule creates national standards to protect individuals’ medical records and other personal health information.

  • It gives patients more control over their health information.
  • It sets boundaries on the use and release of health records.
  • It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
  • It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.

And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.

For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.

  • It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
  • It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
  • It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
  • It empowers individuals to control certain uses and disclosures of their health information.

The rule protects from unauthorized disclosure any personally-identifiable health information (Protected Health Information, or PHI) that pertains to a consumer of health care services.

What is considered "personally-identifiable health information" for Reimbursement Plans?

Health information is considered to be personally identifiable if it relates to a specifically identifiable individual; it generally includes the following, whether in electronic, paper, or oral format:

  • Health care claims or health care encounter information, such as documentation of doctor's visits and notes made by physicians and other provider staff;
  • Health care payment and remittance advice;
  • Coordination of health care benefits;
  • Health care claim status;
  • Enrollment and disenrollment in a health plan;
  • Eligibility for a health plan;
  • Health plan premium payments;
  • Referral certifications and authorization;
  • First report of injury;
  • Health claims attachments.

What is a covered entity with regard to Reimbursement Plans?

The privacy rule applies to health plans, health care clearinghouses, and health care providers. It applies to employers only to the extent that they somehow operate in one or more of those capacities. Section 105 Plans are self-insured health plans.

How is an employer a covered entity with Reimbursement Plans?

Normally, an employer will only deal with covered entities, not actually be one. However, when an employer provides a self-insured health plan for employees (e.g. a Section 105 Plan), or acts as the intermediary between its employees and health care providers, it will find itself handling the kind of PHI that is protected by the HIPAA Privacy Rule.

What must employers do to protect employee PHI when administering a Reimbursement Plan?

Employers offering a Section 105 Reimbursement Plan must adopt written PHI privacy procedures and designate a privacy officer. They must also establish a process for employees to use in filing complaints and for dealing with complaints. Finally, they must take any measures necessary to see that PHI is not used for making employment or benefits decisions.

What do the written privacy procedures need to include?

An employer's written privacy procedures for a Section 105 Reimbursement Plan must include safeguards for administration of PHI, physical security of such information, and electronic and other types of technical security. The procedures should include the designation of a privacy officer and an explanation of the complaint and resolution process.

What penalties apply to violations of privacy rule requirements?

There are civil penalties of $100 per violation, but the penalties can be "stacked" if there are multiple violations with respect to a single individual.

The maximum civil penalties are $25,000 per year, per person, per standard. Thus, if two standards were violated with respect to one person, the potential penalties could mount to as much as $50,000. Criminal penalties (up to a $250,000 fine and ten years in prison) may be imposed for "knowingly and improperly" disclosing information or obtaining information under "false pretenses", with higher penalties reserved for violations designed for financial gain or "malicious harm".

In addition, of course, state laws may impose additional penalties for the same offenses, and most states would also allow common-law suits for torts such as invasion of privacy and infliction of emotional distress, among other causes of action. In November, 2004, a federal district court sentenced a former employee of a Seattle, Washington cancer clinic to 16 months in prison under the criminal penalty provisions of HIPAA after he admitted he used a patient's birthdate and SSN information to fraudulently obtain four credit cards in the patient's name and charge over $9,000 in goods.

What safeguards can an employer put in place to ensure compliance with HIPAA?

Because of HIPAA compliance, and other compliance rules (ERISA, ACA, IRS, COBRA, etc.), most employers use a third party administrator to set up the appropriate Plan Documents and process reimbursement requests ("claims"). Using a third party, such as a compliant healthcare reimbursement software, creates the needed safeguards to comply with HIPAA and avoid the fines.

More information on the HIPAA Privacy Rules can be found on HHS's website (http://www.hhs.gov/ocr/hipaa/).

What questions do you have about HIPAA and Section 105 Reimbursement Plans? Leave a comment.

The Comprehensive Guide to the Small Business HRA

Topics: Health Reimbursement Arrangement, Section 105, HIPAA

Additional Resources

Trying to decide which HRA is best for you? Take our quiz to find out.
Get our guide on how to offer health benefits with a small budget.