Go Back Up

The QSEHRA and HIPAA Privacy Requirements: What Are the Rules?

HIPAA • January 15, 2018 at 12:15 PM • Written by: Caitlin Bronson

The qualified small employer health reimbursement arrangement (QSEHRA), or small business HRA, was designed specifically for small businesses with fewer than 50 employees. As such, it isn’t subject to many of the federal laws that affect larger employee health plans.

One such law is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Outlining data privacy and security provisions for medical information, much of the legislation applies only to health plans covering more than 50 employees.

But certain portions of HIPAA apply to all plans—including the QSEHRA.

Regardless of the number of participants, all health plans must observe the HIPAA Privacy Rule. This rule controls when the health plan can and cannot share health information with the company sponsoring the plan.

In this post, we’ll review the HIPAA Privacy Rule, how it applies to the QSEHRA, and what businesses need to know to comply with HIPAA privacy requirements.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule is a set of national standards designed to safeguard individuals’ protected health information (PHI).

For businesses offering an employee health benefit, the rule controls the conditions under which employee PHI will be shared outside the health plan, including with the company sponsoring the plan.

PHI is defined as information, including demographic data, that relates to:

  • the individual’s past, present, or future physical or mental health condition;
  • the provision of health care to the individual; or
  • the past, present, or future payment for the provision of health care to the individual;

and that identifies the individual or contains enough information that there’s a reasonable basis to believe it could be used to identify the individual.

What is considered PHI under a QSEHRA?

For the QSEHRA, PHI will most often occur in the form of documentation verifying that the participant incurred a qualified medical expense.

This could include:

  • Documentation of doctor’s visits
  • Notes made by physicians and other provider staff
  • Health care payment and remittance advice
  • Coordination of health care benefits
  • Health care claim status
  • Health policy premium payments
  • Referral certifications and authorization
  • First report of injury
  • Health claims attachments

PHI could occur in electronic, paper, or oral format.

What must small businesses do to comply with the HIPAA Privacy Rule and protect PHI while administering a QSEHRA?

To comply with the HIPAA Privacy Rule, small businesses offering a QSEHRA must certify that employees’ PHI will be protected and not used for employment-related actions. This certification usually occurs in the QSEHRA plan documents and should note the safeguards the business will take for securing the PHI (including physical, electronic, and other forms of technical security).

Small businesses must also designate HIPAA privacy officers through their plan documents. HIPAA privacy officers are the individual or group who will be exposed to the QSEHRA participants’ PHI. HIPAA privacy officers may also designate other people who can be exposed to PHI.

These officials are almost always the same person or group as the plan administrator.
Finally, the business must establish a process for employees to file claims appeals and outline how the process will work.

What penalties could a business face for HIPAA Privacy Rule violations?

If a small business administering a QSEHRA violated the HIPAA Privacy Rule, it could face civil penalties of $100 per violation. These penalties can stack if there are multiple violations affecting a single individual.

The maximum civil penalties are $25,000 per year, per person, per standard.

For example, if two standards were violated with respect to one employee, the penalties could amount to as much as $50,000.

Criminal penalties could also come into play if information was “knowingly and improperly” disclosed, or if information was obtained under “false pretenses.” These fines could reach up to $250,000 and ten years in prison.

Additionally, state laws could impose additional penalties for the same offenses.

How do most small businesses handle HIPAA privacy regulations while administering a QSEHRA?

Complying with HIPAA privacy regulations like the Privacy Rule while administering a QSEHRA requires a great amount of work from a small business. Not only must plan documents be structured correctly, but administration procedures must also ensure no one outside of designated privacy officers has access to employees’ PHI.

Because the benefit relies on employees submitting PHI on a regular basis, this can be difficult.

Most small businesses today rely on a QSEHRA administration tool for offering and managing a QSEHRA. These solutions draft plan documents that include compliant HIPAA language and update them in real time. They also take care of QSEHRA administration requirements like reviewing documents with employees’ PHI so the business doesn’t have to.

And there are time savings as well. With a personalized benefits automation software solution like PeopleKeep, small businesses spend an average of 5 to 15 minutes a month administering a QSEHRA. 


In an era when high-profile data breaches are common, anxiety over personal privacy has never been higher. In addition to legal requirements, small business employees expect their companies to protect their health information.

Complying with HIPAA privacy requirements is therefore a matter of both legal necessity and best practice when offering a QSEHRA.

To make sure all requirements are met, most small businesses use a personalized benefits automation software solution.

To learn more, check out our free eBook How to Self-Administer a QSEHRA.

Ready to Transform your Business with Little Effort Using Vertical?

Caitlin Bronson