By Mary Ellen Schill
April 11, 2007
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires certain group health plans to provide enrollees with a notice of privacy practices. The HIPAA Privacy Rule requires health plans remind individuals about this privacy notice no less frequently than every three years. A new notice may be sent to all enrollees, but HIPAA only requires the health plan to notify individuals of the availability of the privacy notice and must inform the individuals how to obtain the notice. Health plans that qualified as small health plans that sent their initial notice on or before the initial compliance date of April 14, 2004, must send a reminder to enrollees by April 14, 2007, to comply with the three-year notification requirement. A health plan will satisfy this requirement by notifying only the named insured on the policy and is not required to notify any dependents that are enrolled under the insured’s plan.
Methods to Deliver the Notice: A health plan may satisfy this notice requirement in various ways that may be more cost effective than one separate mailing. The reminder may be included with other material that is distributed to the enrollees. For example, if each enrollee receives a statement from the health plan, this reminder may be included with that mailing. Additionally, the reminder must be given at least every three years, but the enrollee may be reminded on a more frequent basis. For instance, if a health plan sends a monthly statement to the enrollee, the reminder language could be added to the language on the statement. If this manner of informing the enrollee is used, then the health plan can be certain that it is meeting the three-year requirement as long as all enrollees are receiving the statements that contain the reminder.
Other Important Notice Requirements: In addition to the three-year notification requirement, all covered entities need to be aware that another occasion exists that would require a privacy notice to be resent after the initial mailing on the compliance date. If the health plan has changed its procedures for using or disclosing health information, made changes to the individual’s rights under the privacy notice, altered the covered entity’s legal duties, or changed any other privacy practice listed in the original notice and any of these changes are material, the privacy notice must be revised and redistributed. In addition, the health plan may not implement these material changes before the effective date of the new notice.
Further Information: If you would like further information or need any assistance with satisfying your obligations under HIPAA, please contact Mary Ellen Schill, the author of this article, or any of the attorneys in the Employment, Benefits & Labor Relations Practice Group of Ruder Ware.
This document provides information of a general nature regarding legislative or other legal developments, and is based on the state of the law at the time of the original publication of this article. None of the information contained herein is intended as legal advice or opinion relative to specific matters, facts, situations, or issues, and additional facts and information or future developments may affect the subjects addressed. You should not act upon the information in this document without discussing your specific situation with legal counsel.
© 2021 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved.