Many small businesses offering Individual Coverage HRAs (ICHRAs) or Qualified Small Employer HRAs (QSEHRAs) assume they need to sign Business Associate Agreements (BAAs) with their vendors or build full HIPAA compliance programs from scratch. In most cases, that isn’t required, but the specifics depend on employer size and what types of expenses are being reimbursed.
This guide explains how HIPAA applies to ICHRAs and QSEHRAs and clarifies how Salusion fits within that framework.
Key Takeaways
- HIPAA does not automatically apply to every ICHRA or QSEHRA.
- The small-plan exemption (fewer than 50 participants, administered solely by the employer) means most small employers are not subject to HIPAA’s Privacy and Security Rules.
- Even large employers are exempt if their HRA reimburses only individual insurance premiums, since no Protected Health Information (PHI) is involved.
- HIPAA applies only when an HRA reimburses medical expenses that require handling PHI, in which case a Business Associate Agreement may be required.
HIPAA Overview for Group Health Plans
ICHRAs and QSEHRAs are both considered group health plans under ERISA and HIPAA. However, not every plan is subject to HIPAA’s Privacy and Security Rules. The determining factors are plan size and whether the plan—or any third-party administrator—handles Protected Health Information (PHI).
According to the U.S. Department of Health and Human Services (HHS):
“A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.”
(45 C.F.R. § 160.103; HHS Summary of the HIPAA Privacy Rule, hhs.gov)
This means that HRAs with fewer than 50 participants are generally exempt from HIPAA’s Privacy and Security Rules if administered directly by the employer.
For larger plans with 50 or more participants, HIPAA generally applies—but the plan itself, not the employer, is considered the covered entity. A Business Associate Agreement (BAA) is only needed when a covered plan hires a third party to perform tasks involving PHI.
Even for large employers, HIPAA does not apply when an ICHRA reimburses only individual insurance premiums, since verifying proof of coverage doesn’t involve any PHI.
QSEHRAs, on the other hand, are limited by law to employers with fewer than 50 full-time employees. Because of this size restriction, they almost always qualify for the small-plan exemption and are not subject to HIPAA’s Privacy and Security Rules.
Premium-Only vs. Medical Expense Reimbursements
Both ICHRAs and QSEHRAs can be designed to reimburse either individual health insurance premiums, qualified medical expenses, or both. The distinction matters because HIPAA applies only when medical information is handled as part of plan administration.
When an HRA reimburses premiums only, the employer or administrator usually just verifies that the employee maintains qualifying coverage. Since no medical information or claims are reviewed, these arrangements are administrative in nature and not subject to HIPAA’s Privacy and Security Rules, regardless of employer size.
However, when an HRA also reimburses medical expenses—such as prescriptions, copays, or dental and vision services—the plan or its administrator must review documentation containing medical details. In this case, the plan is handling PHI, which can trigger HIPAA requirements depending on the number of participants.
For HRAs with fewer than 50 participants, the small-plan exemption still applies even if medical expenses are reimbursed. For plans with 50 or more participants, HIPAA’s Privacy and Security Rules typically take effect, and a Business Associate Agreement may be required for any third party that processes PHI.
Because QSEHRAs are limited to small employers, they rarely involve PHI beyond proof of insurance and usually remain outside HIPAA’s scope. Larger employers offering ICHRAs can also avoid HIPAA obligations by limiting reimbursements to premiums only and not requesting medical documentation.
Why This Matters
Understanding how HIPAA applies to HRAs helps employers avoid unnecessary compliance efforts while still protecting employee information. Many small employers assume they must follow HIPAA’s full Privacy and Security Rules or sign Business Associate Agreements with their vendors. In reality, most small ICHRAs and all QSEHRAs qualify for the small-plan exemption and are not subject to these requirements.
When an HRA is exempt, the employer and its vendors are not considered HIPAA-covered entities or business associates, and a Business Associate Agreement is not required.
Salusion’s role: Even when HIPAA does not apply, Salusion maintains strong data-security measures—such as encryption, access controls, and secure data handling—to protect sensitive employee information. For HRAs that fall under HIPAA’s scope, Salusion supports employers by ensuring that all systems and processes meet industry standards for privacy and security.
For employers with 50 or more participants, HIPAA applies only when the plan reimburses medical expenses involving PHI. If an ICHRA reimburses premiums only, the plan generally remains outside HIPAA’s scope. When medical reimbursements are included, HIPAA applies, and a BAA may be required for third-party administrators handling PHI.
In Summary
- HIPAA’s requirements can seem complex, but most small HRAs are exempt under the small-plan provision, keeping compliance straightforward for employers.
- QSEHRAs are available only to small employers and generally remain outside HIPAA’s scope.
- For ICHRAs, compliance depends on plan size and reimbursement type. Premium-only plans typically do not handle Protected Health Information and are not subject to HIPAA.
- Once an ICHRA reimburses medical expenses such as prescriptions or copays, the plan may handle PHI, which can trigger HIPAA’s Privacy and Security Rules and require a Business Associate Agreement.
- Even when HIPAA does not apply, employers should work with vendors who maintain strong data security and privacy safeguards. Salusion meets these standards across all plan types, ensuring data is protected at every level.
