Triennial HIPAA Privacy Notice Requirement
August 29, 2023
Under the HIPAA Privacy Rule, employers that sponsor self-funded health plans must develop and distribute a privacy notice to all enrollees in the following circumstances:
- To new enrollees at the time of enrollment
- Within 60 days of a material change to the notice
- Any time upon a participant’s request
Additionally, at least once every three years health plans must provide the privacy notice or notify participants that the privacy notice is available and include instructions for how to obtain a copy. Therefore, self-funded employers that have not distributed their privacy notice in the last three years should do so now in order to meet the triennial requirement.
The privacy notice requirements for a health plan vary depending on whether the plan is self-funded or fully insured. Sponsors (frequently employers) of self-funded health plans are required to maintain and provide their own privacy notices.
However, if the plan is fully insured, the health insurance issuer or carrier, and not the health plan itself, is primarily responsible for the privacy notice. If the sponsor of a fully insured plan does not have access to protected health information (PHI) for plan administrative functions, it is not required to maintain or provide a privacy notice at all. If the sponsor of a fully insured plan does have access to PHI for plan administrative functions, it is required to maintain a privacy notice and to provide the notice, but only upon request.
Note that a plan sponsor's access to enrollment information, summary health information and PHI that is released pursuant to a HIPAA authorization does not qualify as having access to PHI for plan administration purposes.
The above information does not constitute advice. Always contact your employee benefits broker or trusted adviser for insurance-related questions.
Holly Wahl, Senior Vice President - Employee Benefits Compliance Leader
Want more like this?
Sign up here for our monthly e-newsletter, Benefits Insider, and other relevant content.
DOL Updates Construction Worker Wages Under the Davis-Bacon Act and Related Acts
September 12, 2023
Employee Referral Programs for Small Businesses
September 12, 2023
For Boards, the Best Cybersecurity Defense Is a Good Offense
September 8, 2023