HSA distributions and HIPAA
HSA distributions and HIPAA
I've seen many HSA threads, but not this question. Some HSA custodians (e.g. HealthEquity) require that you give some kind of medical justification when you want to make a withdrawal from your HSA funds. It is not possible to get access to your funds without making some kind of declaration as to medical activity, including naming an individual to whom the expenses are attributed. This medical information is required by the HSA custodian, even for a withdrawal to your personal bank account.
Surely the HSA custodian has no legitimate reason for such information. They have no right or responsibility to any medical information. The issue of verifying medical expenses is purely between the individual and the IRS. The HSA custodian should collect and report purely financial data such as contributions and distributions, with no medical content included.
Does this violate HIPAA or any such thing, by demanding medical information they have no reason to obtain? And are they violating any financial laws when they refuse your request to make a withdrawal unless you make a medical declaration?
Surely the HSA custodian has no legitimate reason for such information. They have no right or responsibility to any medical information. The issue of verifying medical expenses is purely between the individual and the IRS. The HSA custodian should collect and report purely financial data such as contributions and distributions, with no medical content included.
Does this violate HIPAA or any such thing, by demanding medical information they have no reason to obtain? And are they violating any financial laws when they refuse your request to make a withdrawal unless you make a medical declaration?
Re: HSA distributions and HIPAA
See previous thread: viewtopic.php?t=177222*3!4!/5! wrote:Surely the HSA custodian has no legitimate reason for such information. They have no right or responsibility to any medical information.
They are not requesting medical information. They only help you record and remember which expenses are reimbursed. If you keep the records on your own, they will accept your name or 'Various Providers' with a date range.
Harry Sit has left the forums.
Re: HSA distributions and HIPAA
I didn't see that thread. But it doesn't answer the question "is it legal". There is a combination of invasion of medical privacy, and burdensome obstacles to financial access to your funds. I'm not comfortable with various "workarounds" to the medical declarations (which still require assigning medical expense amounts to specific family members). I really wonder if HealthEquity is breaking the law.
Re: HSA distributions and HIPAA
What would happen if you told the HSA administrator, "I just want the money"?
Without qualified medical expenses you have tax and penalty to pay when you file your 1040 return.
Without qualified medical expenses you have tax and penalty to pay when you file your 1040 return.
Re: HSA distributions and HIPAA
If you say "I just want the money" they will not give it to you. To get your money, you must make an explicit declaration as to medical expenses. I asked them about this.clydewolf wrote:What would happen if you told the HSA administrator, "I just want the money"?
Without qualified medical expenses you have tax and penalty to pay when you file your 1040 return.
This is HealthEquity, but I do want to hear of others' positive/negative experiences with other HSA custodians.
To be clear, I'm talking about withdrawing lump sum amounts for previously accumulated qualified medical expenses which can be fully documented to the IRS if/when needed.
Re: HSA distributions and HIPAA
My HSA is with Alliant Credit Union.*3!4!/5! wrote: I do want to hear of others' positive/negative experiences with other HSA custodians.
At any time, I can write myself a check. Or I can login online and move funds from HSA to my share account. Per the website: "One time transfers are effective immediately." Alliant does not ask for a reason or documentation. There is a warning, "Distributions from HSA are reported to the IRS and are taxable if not used for qualified medical expenses."
Re: HSA distributions and HIPAA
Does your employer fund the HSA or do you fund the HSA, or a joint effort.*3!4!/5! wrote:If you say "I just want the money" they will not give it to you. To get your money, you must make an explicit declaration as to medical expenses. I asked them about this.clydewolf wrote:What would happen if you told the HSA administrator, "I just want the money"?
Without qualified medical expenses you have tax and penalty to pay when you file your 1040 return.
This is HealthEquity, but I do want to hear of others' positive/negative experiences with other HSA custodians.
To be clear, I'm talking about withdrawing lump sum amounts for previously accumulated qualified medical expenses which can be fully documented to the IRS if/when needed.
The HSA administrator does seem to be over the top.
Re: HSA distributions and HIPAA
Personally I have to have the employer-selected HealthEquity HSA to contribute via payroll deduction, so I have to use it to receive the contributions (or forfeit significant tax advantages). I know I can transfer 99% of the funds to another custodian, and just leave HealthEquity HSA open to receive the contributions. (I'll probably do that to use a better HSA anyway.)
But I also wanted to ask my question independent of my personal case. My question is about the legality of HealthEquity HSA demanding a medical declaration in order to access your funds. It doesn't seem right to me.
But I also wanted to ask my question independent of my personal case. My question is about the legality of HealthEquity HSA demanding a medical declaration in order to access your funds. It doesn't seem right to me.
- pondering
- Posts: 1127
- Joined: Fri Jan 30, 2015 10:04 pm
- Location: 412-977-3526, originally 718-273-2422
- Contact:
Re: HSA distributions and HIPAA
This is interesting because I have a health spending a debit card and we have had various charges declined because there hasn't been a medical procedure code on the bill.
There was a bill from MedExpress that they paid the $10 deductible on we went back-and-forth multiple times.
There was a bill from MedExpress that they paid the $10 deductible on we went back-and-forth multiple times.
--Robert Sterbal |
robert@sterbal.com |
412-977-3526
-
- Posts: 2349
- Joined: Sun Mar 04, 2012 5:30 pm
Re: HSA distributions and HIPAA
HIPAA only applies to covered entities. I may be wrong, but I highly doubt a bank is a covered entity.
https://privacyruleandresearch.nih.gov/pr_06.asp
https://privacyruleandresearch.nih.gov/pr_06.asp
Re: HSA distributions and HIPAA
I tried googling these topics but got hopelessly lost. I don't understand the legalities.toofache32 wrote:HIPAA only applies to covered entities. I may be wrong, but I highly doubt a bank is a covered entity.
https://privacyruleandresearch.nih.gov/pr_06.asp
But common sense tells me there's something wrong with HealthEquity HSA (especially if you view them as a bank) refusing to let you withdraw funds, unless you make a declaration regarding medical activity. Banks don't normally demand information on the use of your money you want to withdraw. Other HSAs don't seem to do this.
Re: HSA distributions and HIPAA
It appears your employer has this requirement with the HSA administrator.
I did some googling, and found this, but I assume you read this too:
On this issue, HHS has made the following statements in the preamble to the HIPAA privacy rules:
"We do not consider a financial institution to be acting on behalf of a covered entity, and therefore no business associate contract is required, when it processes consumer-conducted financial transactions by debit, credit or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilities or effects the transfer of funds for compensation for health care (emphasis added). A typical consumer-conducted payment transaction is when a consumer pays for health care or health insurance premiums using a check or credit card. In these cases the identity of the consumer is always included and some health information (e.g., diagnosis or procedure) may be implied through the name of the health care provider being paid." (See, 65 Fed. Reg. 82476 (December 28, 2000) and HHS FAQ, Page 43 (December 3, 2002))."
scroll down about 3/5ths of the way: http://www.mondaq.com/unitedstates/x/25 ... e+Acronyms
I did some googling, and found this, but I assume you read this too:
On this issue, HHS has made the following statements in the preamble to the HIPAA privacy rules:
"We do not consider a financial institution to be acting on behalf of a covered entity, and therefore no business associate contract is required, when it processes consumer-conducted financial transactions by debit, credit or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilities or effects the transfer of funds for compensation for health care (emphasis added). A typical consumer-conducted payment transaction is when a consumer pays for health care or health insurance premiums using a check or credit card. In these cases the identity of the consumer is always included and some health information (e.g., diagnosis or procedure) may be implied through the name of the health care provider being paid." (See, 65 Fed. Reg. 82476 (December 28, 2000) and HHS FAQ, Page 43 (December 3, 2002))."
scroll down about 3/5ths of the way: http://www.mondaq.com/unitedstates/x/25 ... e+Acronyms
Re: HSA distributions and HIPAA
Thanks. If I pay my dentist with my credit card, obviously some medical information is transmitted (i.e. that I went to the dentist). That doesn't bother me.clydewolf wrote:It appears your employer has this requirement with the HSA administrator.
I did some googling, and found this, but I assume you read this too:
On this issue, HHS has made the following statements in the preamble to the HIPAA privacy rules:
"We do not consider a financial institution to be acting on behalf of a covered entity, and therefore no business associate contract is required, when it processes consumer-conducted financial transactions by debit, credit or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilities or effects the transfer of funds for compensation for health care (emphasis added). A typical consumer-conducted payment transaction is when a consumer pays for health care or health insurance premiums using a check or credit card. In these cases the identity of the consumer is always included and some health information (e.g., diagnosis or procedure) may be implied through the name of the health care provider being paid." (See, 65 Fed. Reg. 82476 (December 28, 2000) and HHS FAQ, Page 43 (December 3, 2002))."
scroll down about 3/5ths of the way: http://www.mondaq.com/unitedstates/x/25 ... e+Acronyms
But if I want to transfer $X of funds from my HSA to my checking account, there should not be any medical information involved. It is a purely financial transaction. I don't see why any medical declarations should be required.
The fact that very few or no other HSAs do this strongly suggests that HealthEquity HSA is way out of line here.
Re: HSA distributions and HIPAA
Contact a class action attorney. You have an opportunity to get a piece of the settlement.*3!4!/5! wrote:But common sense tells me there's something wrong with HealthEquity HSA (especially if you view them as a bank) refusing to let you withdraw funds, unless you make a declaration regarding medical activity.
Harry Sit has left the forums.
Re: HSA distributions and HIPAA
As far as I know, HIPAA applies to health providers not releasing your medical information without your consent. It does not cover you releasing your own medical information to a bank or whether they can ask you to "voluntarily" provide that information.
That said, I agree with you that they shouldn't ask. Most HSAs don't seem to ask.
Will they allow you to keep the responses in the generic (e.g. "various medical providers for services received in 2015") and in the meantime you can take it up with your employer as well? (Since it is their contract with the HSA and seems something they asked HSA to collect?)
That said, I agree with you that they shouldn't ask. Most HSAs don't seem to ask.
Will they allow you to keep the responses in the generic (e.g. "various medical providers for services received in 2015") and in the meantime you can take it up with your employer as well? (Since it is their contract with the HSA and seems something they asked HSA to collect?)
Re: HSA distributions and HIPAA
Seems wrong to me as well. No reason you should ever need to put something highly personal like "HIV related expense" or such on a bank form.hcj wrote:As far as I know, HIPAA applies to health providers not releasing your medical information without your consent. It does not cover you releasing your own medical information to a bank or whether they can ask you to "voluntarily" provide that information.
That said, I agree with you that they shouldn't ask. Most HSAs don't seem to ask.
Will they allow you to keep the responses in the generic (e.g. "various medical providers for services received in 2015") and in the meantime you can take it up with your employer as well? (Since it is their contract with the HSA and seems something they asked HSA to collect?)
Optum will let me transfer money to my linked bank account with no reason given whatsoever, with the understanding that I'm responsible for it being for a qualified medical expense. There is a field I can put something for my own purposes, which I fill in with the non-detailed cause of the expense. Having some notation is very helpful, because if you are ever audited for your HSA use it would be nice not to wonder "what exactly WAS that $86.97 I transferred to myself for?