A health care plan with fewer than 50 participants that’s administered by a sponsoring employer may have fewer compliance hassles. That’s because it’s excluded from the definition of a “group health plan” under administrative simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA). These provisions include privacy and security requirements.

This can be welcome relief for smaller employers, though it should be noted that the definition of “group health plan” for other purposes, such as Employee Retirement Income Security Act (ERISA) and the Consolidated Omnibus Budget Reconciliation Act (COBRA), contain no such exclusion.

Many smaller employers encounter uncertainty when determining just how to define “participant.” For example, say a company has 60 employees, all of whom are eligible for a fully insured medical plan and a health Flexible Spending Account (FSA), but only 40 employees enroll in the medical plan and health FSA.

Does the health FSA, which is presumably administered in-house, qualify for the exclusion from the HIPAA privacy and security requirements for self-administered plans with fewer than 50 participants?

As defined by law

For purposes of the HIPAA exclusion, “participant” is defined under ERISA. The law provides that the term means:

… any employee or former employee of an employer … who is or may become eligible to receive a benefit of any type from an employee benefit plan which covers employees of such employer … or whose beneficiaries may be eligible to receive any such benefit.

This definition has been interpreted to include employees who are eligible for a plan but not enrolled. Applying this interpretation to the HIPAA exclusion, all eligible employees should be counted when determining whether a plan has fewer than 50 participants for purposes of the HIPAA exclusion. Thus, in the example above, the plan is ineligible.

Limitations apply

Note that the exclusion is limited to plans that are fully administered by the sponsoring employer. It doesn’t apply to insured or self-insured plans, including health FSAs, that are administered by an entity other than the sponsoring employer, such as a third-party administrator. If your organization’s plan outsources any administrative function — including, for instance, COBRA compliance — the exclusion won’t apply regardless of the number of participants.

Also, plans that qualify for the exclusion aren’t necessarily excused from compliance with HIPAA’s portability requirements. (That is, HIPAA includes rules regarding special enrollment rights and health-status nondiscrimination.) The portability rules have different provisions regarding the plans that must comply and those that are excepted from compliance.

Strive to simplify

Administering a health care plan will inevitably involve complexities for any employer, small or large. For this very reason, smaller organizations should look carefully into their eligibility for any simplification measures available. Our firm can help you identify ways to lower the costs and improve the efficiency of your health care benefits.



We highly recommend you confer with your Miller Kaplan advisor to understand your specific situation and how this may impact you.