HSA distributions and HIPAA

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills.
Post Reply
Topic Author
*3!4!/5!
Posts: 1256
Joined: Fri Sep 02, 2016 1:47 pm

HSA distributions and HIPAA

Post by *3!4!/5! »

I've seen many HSA threads, but not this question. Some HSA custodians (e.g. HealthEquity) require that you give some kind of medical justification when you want to make a withdrawal from your HSA funds. It is not possible to get access to your funds without making some kind of declaration as to medical activity, including naming an individual to whom the expenses are attributed. This medical information is required by the HSA custodian, even for a withdrawal to your personal bank account.

Surely the HSA custodian has no legitimate reason for such information. They have no right or responsibility to any medical information. The issue of verifying medical expenses is purely between the individual and the IRS. The HSA custodian should collect and report purely financial data such as contributions and distributions, with no medical content included.

Does this violate HIPAA or any such thing, by demanding medical information they have no reason to obtain? And are they violating any financial laws when they refuse your request to make a withdrawal unless you make a medical declaration?
User avatar
tfb
Posts: 8397
Joined: Mon Feb 19, 2007 4:46 pm

Re: HSA distributions and HIPAA

Post by tfb »

*3!4!/5! wrote:Surely the HSA custodian has no legitimate reason for such information. They have no right or responsibility to any medical information.
See previous thread: viewtopic.php?t=177222

They are not requesting medical information. They only help you record and remember which expenses are reimbursed. If you keep the records on your own, they will accept your name or 'Various Providers' with a date range.
Harry Sit has left the forums.
Topic Author
*3!4!/5!
Posts: 1256
Joined: Fri Sep 02, 2016 1:47 pm

Re: HSA distributions and HIPAA

Post by *3!4!/5! »

I didn't see that thread. But it doesn't answer the question "is it legal". There is a combination of invasion of medical privacy, and burdensome obstacles to financial access to your funds. I'm not comfortable with various "workarounds" to the medical declarations (which still require assigning medical expense amounts to specific family members). I really wonder if HealthEquity is breaking the law.
clydewolf
Posts: 783
Joined: Tue Jul 21, 2015 12:51 pm

Re: HSA distributions and HIPAA

Post by clydewolf »

What would happen if you told the HSA administrator, "I just want the money"?

Without qualified medical expenses you have tax and penalty to pay when you file your 1040 return.
Topic Author
*3!4!/5!
Posts: 1256
Joined: Fri Sep 02, 2016 1:47 pm

Re: HSA distributions and HIPAA

Post by *3!4!/5! »

clydewolf wrote:What would happen if you told the HSA administrator, "I just want the money"?

Without qualified medical expenses you have tax and penalty to pay when you file your 1040 return.
If you say "I just want the money" they will not give it to you. To get your money, you must make an explicit declaration as to medical expenses. I asked them about this.

This is HealthEquity, but I do want to hear of others' positive/negative experiences with other HSA custodians.

To be clear, I'm talking about withdrawing lump sum amounts for previously accumulated qualified medical expenses which can be fully documented to the IRS if/when needed.
User avatar
Flobes
Posts: 1771
Joined: Mon Feb 15, 2010 11:40 pm
Location: Home

Re: HSA distributions and HIPAA

Post by Flobes »

*3!4!/5! wrote: I do want to hear of others' positive/negative experiences with other HSA custodians.
My HSA is with Alliant Credit Union.

At any time, I can write myself a check. Or I can login online and move funds from HSA to my share account. Per the website: "One time transfers are effective immediately." Alliant does not ask for a reason or documentation. There is a warning, "Distributions from HSA are reported to the IRS and are taxable if not used for qualified medical expenses."
clydewolf
Posts: 783
Joined: Tue Jul 21, 2015 12:51 pm

Re: HSA distributions and HIPAA

Post by clydewolf »

*3!4!/5! wrote:
clydewolf wrote:What would happen if you told the HSA administrator, "I just want the money"?

Without qualified medical expenses you have tax and penalty to pay when you file your 1040 return.
If you say "I just want the money" they will not give it to you. To get your money, you must make an explicit declaration as to medical expenses. I asked them about this.

This is HealthEquity, but I do want to hear of others' positive/negative experiences with other HSA custodians.

To be clear, I'm talking about withdrawing lump sum amounts for previously accumulated qualified medical expenses which can be fully documented to the IRS if/when needed.
Does your employer fund the HSA or do you fund the HSA, or a joint effort.

The HSA administrator does seem to be over the top.
Topic Author
*3!4!/5!
Posts: 1256
Joined: Fri Sep 02, 2016 1:47 pm

Re: HSA distributions and HIPAA

Post by *3!4!/5! »

Personally I have to have the employer-selected HealthEquity HSA to contribute via payroll deduction, so I have to use it to receive the contributions (or forfeit significant tax advantages). I know I can transfer 99% of the funds to another custodian, and just leave HealthEquity HSA open to receive the contributions. (I'll probably do that to use a better HSA anyway.)

But I also wanted to ask my question independent of my personal case. My question is about the legality of HealthEquity HSA demanding a medical declaration in order to access your funds. It doesn't seem right to me.
User avatar
pondering
Posts: 1127
Joined: Fri Jan 30, 2015 10:04 pm
Location: 412-977-3526, originally 718-273-2422
Contact:

Re: HSA distributions and HIPAA

Post by pondering »

This is interesting because I have a health spending a debit card and we have had various charges declined because there hasn't been a medical procedure code on the bill.

There was a bill from MedExpress that they paid the $10 deductible on we went back-and-forth multiple times.
--Robert Sterbal | robert@sterbal.com | 412-977-3526
toofache32
Posts: 2349
Joined: Sun Mar 04, 2012 5:30 pm

Re: HSA distributions and HIPAA

Post by toofache32 »

HIPAA only applies to covered entities. I may be wrong, but I highly doubt a bank is a covered entity.

https://privacyruleandresearch.nih.gov/pr_06.asp
Topic Author
*3!4!/5!
Posts: 1256
Joined: Fri Sep 02, 2016 1:47 pm

Re: HSA distributions and HIPAA

Post by *3!4!/5! »

toofache32 wrote:HIPAA only applies to covered entities. I may be wrong, but I highly doubt a bank is a covered entity.

https://privacyruleandresearch.nih.gov/pr_06.asp
I tried googling these topics but got hopelessly lost. I don't understand the legalities.

But common sense tells me there's something wrong with HealthEquity HSA (especially if you view them as a bank) refusing to let you withdraw funds, unless you make a declaration regarding medical activity. Banks don't normally demand information on the use of your money you want to withdraw. Other HSAs don't seem to do this.
clydewolf
Posts: 783
Joined: Tue Jul 21, 2015 12:51 pm

Re: HSA distributions and HIPAA

Post by clydewolf »

It appears your employer has this requirement with the HSA administrator.

I did some googling, and found this, but I assume you read this too:

On this issue, HHS has made the following statements in the preamble to the HIPAA privacy rules:
"We do not consider a financial institution to be acting on behalf of a covered entity, and therefore no business associate contract is required, when it processes consumer-conducted financial transactions by debit, credit or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilities or effects the transfer of funds for compensation for health care (emphasis added). A typical consumer-conducted payment transaction is when a consumer pays for health care or health insurance premiums using a check or credit card. In these cases the identity of the consumer is always included and some health information (e.g., diagnosis or procedure) may be implied through the name of the health care provider being paid." (See, 65 Fed. Reg. 82476 (December 28, 2000) and HHS FAQ, Page 43 (December 3, 2002))."

scroll down about 3/5ths of the way: http://www.mondaq.com/unitedstates/x/25 ... e+Acronyms
Topic Author
*3!4!/5!
Posts: 1256
Joined: Fri Sep 02, 2016 1:47 pm

Re: HSA distributions and HIPAA

Post by *3!4!/5! »

clydewolf wrote:It appears your employer has this requirement with the HSA administrator.

I did some googling, and found this, but I assume you read this too:

On this issue, HHS has made the following statements in the preamble to the HIPAA privacy rules:
"We do not consider a financial institution to be acting on behalf of a covered entity, and therefore no business associate contract is required, when it processes consumer-conducted financial transactions by debit, credit or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilities or effects the transfer of funds for compensation for health care (emphasis added). A typical consumer-conducted payment transaction is when a consumer pays for health care or health insurance premiums using a check or credit card. In these cases the identity of the consumer is always included and some health information (e.g., diagnosis or procedure) may be implied through the name of the health care provider being paid." (See, 65 Fed. Reg. 82476 (December 28, 2000) and HHS FAQ, Page 43 (December 3, 2002))."

scroll down about 3/5ths of the way: http://www.mondaq.com/unitedstates/x/25 ... e+Acronyms
Thanks. If I pay my dentist with my credit card, obviously some medical information is transmitted (i.e. that I went to the dentist). That doesn't bother me.

But if I want to transfer $X of funds from my HSA to my checking account, there should not be any medical information involved. It is a purely financial transaction. I don't see why any medical declarations should be required.

The fact that very few or no other HSAs do this strongly suggests that HealthEquity HSA is way out of line here.
User avatar
tfb
Posts: 8397
Joined: Mon Feb 19, 2007 4:46 pm

Re: HSA distributions and HIPAA

Post by tfb »

*3!4!/5! wrote:But common sense tells me there's something wrong with HealthEquity HSA (especially if you view them as a bank) refusing to let you withdraw funds, unless you make a declaration regarding medical activity.
Contact a class action attorney. You have an opportunity to get a piece of the settlement.
Harry Sit has left the forums.
hcj
Posts: 261
Joined: Wed Mar 26, 2014 2:21 pm

Re: HSA distributions and HIPAA

Post by hcj »

As far as I know, HIPAA applies to health providers not releasing your medical information without your consent. It does not cover you releasing your own medical information to a bank or whether they can ask you to "voluntarily" provide that information.

That said, I agree with you that they shouldn't ask. Most HSAs don't seem to ask.

Will they allow you to keep the responses in the generic (e.g. "various medical providers for services received in 2015") and in the meantime you can take it up with your employer as well? (Since it is their contract with the HSA and seems something they asked HSA to collect?)
Da5id
Posts: 5066
Joined: Fri Feb 26, 2016 7:20 am

Re: HSA distributions and HIPAA

Post by Da5id »

hcj wrote:As far as I know, HIPAA applies to health providers not releasing your medical information without your consent. It does not cover you releasing your own medical information to a bank or whether they can ask you to "voluntarily" provide that information.

That said, I agree with you that they shouldn't ask. Most HSAs don't seem to ask.

Will they allow you to keep the responses in the generic (e.g. "various medical providers for services received in 2015") and in the meantime you can take it up with your employer as well? (Since it is their contract with the HSA and seems something they asked HSA to collect?)
Seems wrong to me as well. No reason you should ever need to put something highly personal like "HIV related expense" or such on a bank form.

Optum will let me transfer money to my linked bank account with no reason given whatsoever, with the understanding that I'm responsible for it being for a qualified medical expense. There is a field I can put something for my own purposes, which I fill in with the non-detailed cause of the expense. Having some notation is very helpful, because if you are ever audited for your HSA use it would be nice not to wonder "what exactly WAS that $86.97 I transferred to myself for?
Post Reply