Does your church have a cafeteria plan or “flex plan” that allows employees to pay for medical expenses with pre-tax dollars through salary reductions? If so, you may be subject to new privacy rules that took effect on April 14, 2003. Here is what church treasurers should know:
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the federal Department of Health and Human Services (HHS) to publish rules for the electronic exchange, privacy and security of health information. HHS published the final version of its so-called “Privacy Rule” in 2002, and it took effect on April 14, 2003 (or April 14, 2004 for “small” health plans with less than $5 million in annual receipts).
- The Privacy Rule applies to health plans and health care providers (“covered entities”) that transmit health information in electronic form.
- Covered entities include employer-sponsored group health plans, and church-sponsored health plans. There is an exception for a group health plan with less than 50 participants that is administered solely by the employer (and not a third party administrator).
- A few weeks ago, HHS ruled that cafeteria plans and flexible spending arrangements are covered entities for purposes of the Privacy Rule, if they meet the definition of an “employee welfare benefit plan” under ERISA (a federal pension regulation law). This is a very broad definition that will apply to most cafeteria plans and flexible spending arrangements established by churches. Again, there is an exception for plans with less than 50 participants that are administered solely by the employer.
- If your church meets the definition of a covered entity, and operates a cafeteria plan or flex plan, then you are required to comply with the various privacy protections spelled out in HIPAA’s Privacy Rule. These protections are complex, and so you should consult with an attorney for assistance. Basically, they limit the ways you can use your employees’ personal medical information. Key provisions of these new standards include employee access to medical records; employer notification of employees of their privacy rights under the new law; a prohibition of using employee medical information for any purpose other than health care; written employee consent required before an employer can release medical information to a life insurer, a bank, a marketing firm or another outside business for purposes not related to their health care; written privacy policies and procedures must be adopted by employers; and, special privacy training for employees who will have access to medical information.
- There are civil and criminal penalties for covered entities that misuse personal health information or violate the privacy requirements.
Tip. To help covered entities find out information about the new privacy rules, HHS has established a toll-free information line. The number is (866) 627-7748.
Resource. The March-April 2003 issue of Richard Hammar’s Church Law & Tax Report newsletter has a feature article entitled “Are Prayer Lists Illegal” that addresses the application of HIPAA to pastors and church members.
This article first appeared in Church Treasurer Alert, June 2003.