Internal Organization Health Spending Accounts

[Lisa Binns]

#97986

Forum: Private

Good Morning,

I’m looking for guidance on employer verification of Health Spending Account (HSA) claims in Alberta.

If an employer funds an internal HSA rather than using a third-party benefits administrator, is it appropriate for HR/Finance to request copies of invoices to confirm that reimbursements align with plan rules and CRA requirements? The request would be limited to provider name, date of service, service provided, and amount; no medical diagnoses or treatment details.

Also, if an invoice were found to be falsified or not connected to an actual service, could that reasonably be considered grounds for termination for cause, assuming a fair investigation process was followed?

I want to make sure any verification process is ethical, privacy-compliant, and consistent with provincial and federal employment law. Any insight would be appreciated.

Kind regards,

Rebecca

[Haley O’Halloran]

#97989

Can HR/Finance request invoices/receipts for an internally administered HSA?

Yes—it’s generally appropriate for an employer administering its own HSA/PHSP-style reimbursement plan to require receipts/invoices to confirm the expense is eligible under the plan and properly supported for tax purposes.

Two key guardrails:

CRA/tax substantiation: PHSP/HSA reimbursements are typically treated as non-taxable when paid under a qualifying private health services plan and for eligible medical expenses, and the employer should be able to support what was reimbursed. CRA guidance frames this in the context of medical expenses paid under a PHSP.

Alberta privacy (PIPA): Alberta’s Personal Information Protection Act (PIPA) allows collection/use/disclosure of personal information only for purposes a reasonable person would consider appropriate. The Government of Alberta’s PIPA business guide also emphasizes notifying individuals of the purpose for collection (before or at the time of collection).

Your proposed “minimum fields” approach is on the right track. Limiting verification to provider name, date of service, service/expense type, and amount aligns with privacy data minimization and “reasonable purpose” thinking under PIPA.

That said, “service provided” can still be highly sensitive (e.g., psychotherapy, fertility treatment). Even without diagnoses, it can reveal intimate health information—so treat it as sensitive personal information and tighten handling accordingly.

How to make the verification process ethical + privacy-compliant

If you’re self-administering, your biggest risk is internal over-collection and over-access. Consider these controls:

Write it into the plan + claim form: State why receipts are required, what fields are needed, and that employees should black out diagnoses / clinical notes and any unnecessary details. (You may still need enough description to confirm eligibility.)

Need-to-know access: Restrict review to a small, designated role (often one person in Finance/benefits admin), not general HR. Keep managers out entirely.

Separate storage: Store HSA receipts separately from the personnel file, with stricter permissions and audit logs.

Retention + disposal: Keep only as long as needed for plan administration and any tax recordkeeping needs; then securely destroy.

Escalation path: If a receipt looks questionable, escalate to a defined process (benefits admin → HR/Legal) rather than broad sharing.

If you can, use a third party: Even when the employer funds the HSA, outsourcing adjudication can significantly reduce internal exposure to sensitive information (often the cleanest privacy posture).

These steps map well to PIPA’s “reasonable purpose” standard and the requirement to be transparent about collection purposes.

If an invoice is falsified, can that be cause for termination?

Potentially yes, but it’s very fact-dependent and the bar for “just cause” is high.

Canadian courts apply a contextual approach to dishonesty: not every lie or irregularity equals just cause; the question is whether the misconduct fatally damages the employment relationship (trust).

Falsifying receipts to obtain benefits is often treated as serious dishonesty/fraud, and courts have upheld cause in cases involving fabricated benefits/claims—especially where there’s deception during the investigation.

Alberta-focused commentary consistently stresses employers carry the onus and cause is “capital punishment” territory—so process and proportionality matter.

What helps make “cause” more defensible (if you go that route)

A clear written policy that claims must be truthful/accurate and that fraud may lead to discipline up to termination.

A fair investigation: give the employee a chance to explain (mistake vs. intent), review documents, keep good notes, and avoid rushing.

Proportionality: amount involved, role/trust level, prior discipline, whether it’s a one-off error, whether the employee admitted promptly, whether they tried to mislead you afterward.

Consider whether you can prove intentional falsification rather than a misunderstanding about eligibility.

If intent is uncertain, many employers choose to discipline and/or terminate without cause (with appropriate notice/pay) to reduce wrongful dismissal risk.

One more nuance: “internal HSA” design risk

If you’re running the HSA internally, make sure the plan is documented and administered consistently as a PHSP-style arrangement; CRA expects the plan terms to be clear and followed in practice.

I hope this helps.
-HRInsider Staff

[Author]

Posts