The Health Insurance Portability and Accountability Act (HIPAA) privacy rule gives individuals a fundamental right to adequate notice of how a covered entity (such as a group health plan) may use and disclose protected health information (PHI) about the individual, as well as his or her rights and the covered entity’s obligations with respect to PHI. Most covered entities must develop and provide individuals with this notice of their privacy practices. Many group health plans are covered entities. This Update addresses the rules as they apply to these covered group health plans.
Background. As detailed in our prior Update, group health plans must comply with final omnibus regulations (issued January 2013) implementing a number of new requirements under HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH), and the Genetic Information Nondiscrimination Act of 2008 (GINA). Employers should examine current HIPAA compliance practices and determine if changes are needed to comply with the final rules. The 2013 final regulations made changes to both the content requirements and the distribution requirements for the HIPAA Privacy Notice (the “Notice”). Notices were to be updated in accordance with the final rules no later than September 23, 2013. Notices previously updated for the 2010 HITECH rules may need limited to no updates to comply with the final rules. Those plans that have already updated and distributed Notices that comply with the final rules do not have to do so again.
Providing the Notice. Covered health plans must provide Notices as follows:
Provide the Notice to new enrollees at the time of enrollment. Make its Notice available to any person who asks for it.
Provide a revised Notice to individuals then covered by the plan within 60 days of a material revision.
Prominently post and make available the Notice on any website it maintains that provides information about its benefits (under a new rule in the 2013 regulations, the manner and timing of distribution depend on whether the plan maintains a website).
If the Notice is maintained on a website, the plan must post any revised Notice no later than September 23, 2013 and provide the updated Notice in the next annual mailing to plan participants.
If the Notice is not maintained on a website, the company must issue the revised Notice within 60 days of any change, i.e., within 60 days after September 23, 2013. Notify individuals then covered by the plan of the availability of and how to obtain the Notice at least once every three years.
New Model Notices Available. Many entities asked for guidance on how to create a clear Notice, and in response, the governmental agencies have now provided separate model Notices for health plans and healthcare providers. The models reflect the regulatory changes of the final rule and can serve as the baseline for covered entities working to come into compliance with the new requirements. Three different format designs are generally available as follows:
Booklet Version – set up as a booklet that is folded and stapled.
Full-Page Version – uses similar design elements as the booklet but is formatted to be printed on a full 8 ½ x 11 page.
Layered Version – includes a one-page summary of key privacy rights, uses and disclosures on the first page, followed by the full content on the following pages, and configured to be printed on 8 ½ x 11 paper.
Samples of the model Notices for health plans can be viewed by accessing the webpage that contains the Notices and instructions. The Health Plan Notice samples and instructions can be linked to here:
Next Steps. Employers sponsoring group health plans with any access to PHI are responsible for their plan’s HIPAA compliance and should review the plan’s Notice and update the Notice as needed. If changes are required to the existing Notice, plan sponsors should put measures in place to ensure new Notices are distributed timely.
A fully-insured group health plan has a limited Notice obligation, depending on the plan's access to PHI. An insured plan often has no access to PHI (except for summary health information and enrollment information). In this case, the plan has no obligation to provide a Notice. The Notice requirement is imposed solely upon the insurer. If a fully-insured plan has access to PHI (other than summary health information and enrollment information), then the plan must maintain a Notice and provide it upon request. (The insurer still has the primary Notice obligation.)
A self-funded group health plan is required to issue its own Notice. Although it is permissible for a plan sponsor to hire a business associate (such as a third-party administrator) to maintain and provide the Notice, compliance with the HIPAA requirements is ultimately the plan’s responsibility.
Contact your Conner Strong & Buckelew account representative toll free at 1-877-861-3220 should you have any questions. For a complete list of Legislative Updates issued by Conner
Strong & Buckelew, visit our online Resource Center.