The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires group health plans to remind plan participants at least once every three years that a Notice of Privacy Practices is available. Small group health plans that were required to provide their initial HIPAA Notices of Privacy Practices by April 14, 2004 (i.e., all group health plans with annual premiums or receipts of $5 million or less) and have not subsequently reminded participants of the availability of a HIPAA Notice of Privacy Practices must remind participants of the existing privacy notice or re-send the notice by April 14, 2007.
Group health plans may satisfy the HIPAA reminder requirement in one of three ways:
(1) By sending a copy of the HIPAA Notice of Privacy Practices to plan participants;
(2) By mailing to plan participants a reminder that the HIPAA Notice of Privacy Practices is available, along with information on how to obtain a copy; or
(3) By including in a plan-produced newsletter or other publication information about the availability of the HIPAA Notice of Privacy Practices and how to obtain a copy.
Some group health plans already may have satisfied the three-year reminder requirement by, for instance, including information regarding the availability of a HIPAA Notice of Privacy Practices in annual communication sent to plan participants or by annually sending the HIPAA Notice of Privacy Practices to plan participants. Additionally, employers of fully-insured group health plans generally have limited HIPAA notice obligations, depending on the employer's access to protected health information. Employers who sponsor fully-insured group health plans should confirm with their insurance carriers whether HIPAA reminder notices are currently necessary, and, if so, whether the carriers will provide such reminders.
Group health plans other than small plans (i.e., all group health plans with annual premiums or receipts of over $5 million) were generally required to provide HIPAA reminder notices by April 14, 2006.