HIPPA Privacy Notice Requirements
HIPAA Privacy Notice Requirements
November 19, 2020
To view the PDF, click here: HIPAA Privacy Notice Requirements
The HIPAA Privacy Rule establishes limits on how covered entities may use and disclose protected health information (PHI), and creates rights for individuals with respect to their own PHI. “Covered entities” include health plans, health care clearinghouses and most health care providers.
The HIPAA Privacy Rule also requires covered entities to provide a Notice of Privacy Practices (or Privacy Notice) to each individual who is the subject of PHI. Health plans are required to send the Privacy Notice at certain times, including to new enrollees at the time of enrollment. Also, at least once every three years, health plans must either redistribute the Privacy Notice or notify participants that the Privacy Notice is available and explain how to obtain a copy.
Self-insured health plans are required to maintain and provide their own Privacy Notices. Special rules, however, apply for fully insured plans. Under these rules, the health insurance issuer, and not the health plan itself, is primarily responsible for the Privacy Notice.
LINKS AND RESOURCES:
The Department of Health and Human Services (HHS) has developed different model Privacy Notices for health plans to choose from:
RULES FOR HEALTH PLANS
- Self-insured health plans must maintain and provide their own Privacy Notices.
- There are special rules for fully insured health plans:
– If an employer with a fully insured plan has access to PHI, the plan must have its own Privacy Notice and provide it upon request.
– If an employer with a fully insured plan does not have access to PHI, the plan is not required to maintain or provide a Privacy Notice.
MODEL NOTICES
- HHS has developed three types of model Privacy Notices for health plans to use.
- The models must be customized for each health plan.
NOTICE REQUIREMENT
Covered entities must provide a Notice of Privacy Practices to each individual who is the subject of PHI. The Privacy Notice must be written in plain language and must:
- Explain how the health plan may use and disclose an individual’s PHI;
- Describe the individual’s rights with respect to his or her PHI; and
- Summarize the health plan’s legal duties with respect to the PHI.
There are a number of specific provisions that must be incorporated into the Privacy Notice, such as details regarding how individuals may exercise their rights with respect to PHI. A typical Privacy Notice is multiple pages long due to the numerous content requirements.
The Privacy Notice requirements for a health plan vary depending on whether the plan is self-insured or fully insured, and, if the plan is fully insured, whether the plan sponsor has access to PHI for plan administration purposes.
Self-insured plans: Must remain and provide their own Privacy Notices
Fully insured plans: Health insurance issuers have primary responsibility for Privacy Notices
Special Rules for Fully Insured Plans – The plan sponsor of a fully insured health plan has limited responsibilities with respect to the Privacy Notices. The extent of its limited responsibilities depends on whether the plan sponsor has access to PHI for plan administration purposes.
- If the sponsor of a fully insured plan has access to PHI for plan administrative functions, it is required to maintain a Privacy Notice and to provide the notice upon request.
- If the sponsor of a fully insured plan does not have access to PHI for plan administrative functions, it is not required to maintain or provide a Privacy Notice.
A plan sponsor’s access to enrollment information, summary health information and PHI that is released pursuant to a HIPAA authorization does not qualify as having access to PHI for plan administration purposes.
DELIVERY REQUIREMENTS
Delivery Deadlines
At least once every three years, health plans must provide the Privacy Notice, or notify participants that the notice is available with instructions for how to obtain a copy.
In addition, health plans must provide the Privacy Notice in the following circumstances:
- To new enrollees at the time of enrollment;
- Within 60 days of a material change to the notice; and
- Any time upon a participant’s request.
If a health plan sends out a revised notice (for example, following a material change to the notice), it will reset the three-year notice requirement.
Delivery Methods and Recipients
A health plan must provide the Privacy Notice to individuals covered by the plan. If the health plan provides the Privacy Notice to a covered employee, the plan is not required to provide a separate notice for dependents (for example, a spouse or child) covered through the employee.
The Privacy Notice must be actually delivered to participants. Merely posting the Privacy Notice on a website or on a bulletin board in the workplace is not sufficient. The Privacy Notice may be provided electronically via email to participants who have agreed to receive an electronic notice. The health plan must provide a participant with a paper copy of the Privacy Notice if it discovers that the electronic delivery has failed.
In general, the Privacy Notice may be provided with other plan documents. It does not need to be provided as a standalone document. For example, a health plan could provide the Privacy Notice with the plan’s enrollment materials or with the summary plan description (SPD). However, the Privacy Notice may not be combined in the same document as a HIPAA authorization.
If a health plan maintains a website about the plan’s services or benefits, the Privacy Notice must be posted on the website and must be electronically available through the website.
Material Changes to Privacy Notice
If there is a material change to a health plan’s use or disclosures of PHI or any other information contained in the Privacy Notice, the health plan must revise its Notice to reflect the change and must distribute an updated notice to participants. In general, a health plan may not apply a material change to its privacy practices before the effective date of the updated Privacy Notice.
MODEL PRIVACY NOTICES
HHS has developed model Privacy Notices for health care providers and health plans to use to communicate with their patients and plan members. The model Privacy Notices were developed through the use of consumer focus groups to provide a clear, accessible notice that patients or plan members can understand.
Format of Model Notice
There are three designs for the model Privacy Notice for health plans. Every design has the same language, although the layered notice includes an additional first page that summarizes key privacy rights, choices, uses and disclosures.
Booklet version: This version is set up as a booklet that is folded and stapled. According to HHS, consumers like this version because it is approachable, portable and easy to read.
Full-page version: This version uses similar design elements as the booklet but is configured to be printed on a full page (8 ½ X 11 size). It is a useful option for health plans that like the design of the brochure but do not want to print and assemble it.
Layered version: This version has a one-page summary of key privacy rights, uses and disclosures on the first page. It is configured to be printed on 8 ½” X 11” paper. According to HHS, consumers like this version because they appreciate the quick and easy-to-read summary.
Each design is in a fillable Adobe PDF format and has some areas that can be customized for each health plan. The gray, fillable fields include instructions for special notes to add to the Privacy Notice if they apply to the health plan. Also, there is a way to add logo art instead of the health plan’s name.
More information on customizing the notice and best practices is available in the Health Plan Instructions and Questions and Instructions for using the Model Notices.
HHS has also provided a text-only version of the model Privacy Notice. Health plans that use this version can add their own design elements to the notice or customize the language.
This Compliance Overview is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice.
Readers should contact legal counsel for legal advice
More Insight & Tips
-
Prescription Drug Reporting (RxDC) – Due June 1, 2024
Judy Kamens
Compliance Specialist
-
Medicare Part D Disclosure Notice to CMS
Judy Kamens
Compliance Specialist
-
CHIPRA Notice
Judy Kamens
Compliance Specialist
Judy Kamens
Compliance Specialist
Judy joined the Employee Benefits division of Lawley in March 2010 as a Compliance Specialist. Judy’s role is to provide clients with enhanced service in the areas of new and existing legislation and compliance. She works closely with Employee Benefits Consultants and Account Executives to provide clients with the tools and information to remain compliant. Judy provides timely education, guidance and conveys the requirements and intricacies of new legislation in a practical fashion. Specifically, Judy has focused her attention on the Affordable Care Act (ACA) and possesses a thorough understanding of the continuously evolving requirements of this law.
View Bio LinkedIn