A mere six days before the September 23, 2013 deadline for distributing revised HIPAA Notices of Privacy Practices, the Department of Health and Human Services (HHS) has unexpectedly published model Notices for providers and health plans.


As we described in our prior alert in January 2013, HHS issued an omnibus set of final regulations modifying and clarifying the privacy, security and enforcement provisions under the Health Information Portability and Accountability Act, as amended (HIPAA).  Group health plans and business associates must comply with these final regulations starting September 23, 2013.

HIPAA requires covered entities, including group health plans, to provide a Notice of Privacy Practices (Notice), setting forth the uses and disclosures of protected health information (PHI) that the covered entity may make, the covered entity’s legal obligations, and individuals’ rights with respect to their PHI.  Under the final regulations, a Notice must now also contain:

  • A statement that most uses and disclosures of psychotherapy notes, most uses and disclosures of PHI for marketing purposes, and disclosures that constitute a sale of PHI can be made only with an individual’s authorization;
  • If a health plan intends to use or disclose PHI for underwriting purposes, a statement that the plan is prohibited from using or disclosing genetic information for such purposes; and
  • A statement that an individual has a right to be notified when a breach of his or her unsecured PHI has occurred. 

Model Notices

Less than a week before the compliance date, the HHS Office for Civil Rights (OCR) released model Notices for both health care providers and group health plans.  You can access the model notices here.  Although OCR has provided various formats of the model Notices, many in bright colors with graphics, the language in each model is substantially the same. While colorful Notices are certainly eye-catching, the printing costs could exceed modest benefits budgets.  If employers want to use the model Notices, they may want to consider posting a color version of the Notice on its employee benefit website and distributing the text version.

As noted on the OCR website, the models serve as a baseline for covered entities working to come into compliance with the new HIPAA requirements.  Notably, the model Notices for group health plans are drafted for insured group health plans where the employer is not involved, and do not necessarily work without customization for self-funded plans.  (See, the example under Administer Your Plan, which states: “Your company contracts with us to provide a health plan, and we provide your company with certain statistics to explain the premiums we charge.”)

To-Do List

  • Employers (that have not already done so) should identify which of their health and welfare plans and programs are covered entities subject to HIPAA and required to distribute a Notice. 
  • Employers that sponsor and maintain both self-funded health programs and either insured health programs or individual account arrangements (such as health flexible spending accounts) should ensure that a Notice is distributed for each covered entity.
  • At this time, covered entities may have already updated their Notice or may be in the process of updating their Notice to comply with the final regulations.  They should determine whether to distribute their current Notice or change to the model Notice.  If the model notice is to be used, some customization should be done, such as adding language identifying the covered entity plans and, if self-funded, reflecting that status.