HIPAA privacy regulations require group health plans to remind participants at least every 3 years of the availability of the HIPAA privacy notice and how to obtain it. Instead of providing this reminder (sometimes called a notice of availability), the privacy notice itself can be distributed.
For large group health plans (more than $5 million in annual gross receipts or claims paid), the initial HIPAA privacy notice was due to be distributed by April 14, 2003. If the notice was not distributed in the interim, a privacy notice reminder (or the privacy notice itself) was required to be sent to participants by April 14, 2006. That recurring 3-year deadline for either distributing the privacy notice reminder (or the notice itself) is quickly approaching. For group health plans that last distributed the privacy notice reminder (or the privacy notice itself) on April 14, 2006, a privacy notice reminder (or the notice itself) should be distributed to participants by April 14, 2009. Of course, if a group health plan made changes to the privacy notice and distributed the revised notice in the interim, it is on a different schedule for sending out this privacy notice reminder.
Employers that sponsor group health plans may want to consider the following when deciding how to comply with the privacy notice reminder requirement:
Determine scope of distribution requirements. Insured plans that do not create or receive protected health information (other than summary health information or enrollment/disenrollment information) do not have to distribute a privacy notice. Instead, the insurer must do so. Therefore, the insurer should also provide the privacy notice reminder. In addition, consider whether the plan has already satisfied the privacy notice reminder requirement by including the privacy notice with open enrollment materials or in a summary plan description that is distributed annually.
Draft the privacy notice reminder. The privacy notice reminder can be very short. It simply must remind participants that the privacy notice for the plan is available for them to review and how they can obtain it (e.g., by viewing the company’s intranet; by requesting a paper copy, etc.).
Determine how to distribute the privacy notice reminder. The privacy regulations do not offer any guidance about how the privacy notice reminder should be distributed to participants. However, the Department of Health and Human Services (“HHS”) has a 2006 Q&A that discusses distribution of the privacy notice reminder. According to the HHS guidance, the privacy notice reminder requirement can be satisfied “in a number of ways,” including the following: (i) distributing the privacy notice (instead of distributing the privacy notice reminder); (ii) mailing the reminder; or (iii) including the reminder in a plan newsletter or other publication. Click here to view the Q&A guidance.
Determine whether to distribute the privacy notice reminder electronically. Most plan sponsors would likely prefer to send the privacy notice reminder by e-mail since it would be more cost-effective. Unfortunately, the 2006 HHS Q&A does not address electronic distribution of the privacy notice reminder. The privacy regulations specify the requirements for electronic delivery of the privacy notice (which would presumably apply to the privacy notice reminder), but they are even more difficult to satisfy than the Department of Labor’s electronic distribution requirements for SPDs. Under the privacy regulations, a plan must obtain consent for electronic distribution of the privacy notice, regardless of whether participants have access to the company’s electronic information system as an “integral part” of their duties. In addition, under the privacy regulations, if the plan knows that the e-mail transmission of the privacy notice failed, the plan must provide a paper copy of the notice.